Russ Allbery wrote: > Here is the confirmation and analysis from upstream, forwarded with > permission. Another person (not publicly, so I won't mention his name > just in case he didn't wish to be mentioned) also pointed out that since > you can break the encryption used to protect the TGT, you can also then > use that Kerberos TGT to obtain further tickets until it expires (which in > the Kerberos world is usually some locally-configured time period between > eight hours and two weeks, usually on the shorter end of that range). > > Any sessions started via a Kerberos TGT issued by a vulnerable Kerberos > KDC should be considered suspect, although the key space isn't, I believe, > quite as small as it is for some of the other affected software. Could you summarise the changes that should be made to the key-rollover page (or provide a patch)? -- see shy jo
Attachment:
signature.asc
Description: Digital signature