Offline password attacks on AS-REQ

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Offline password attacks on AS-REQ


In my company, we're pitching a Kerberos-based solution to authenticate tens of thousands of Linux users to Active Directory.  To increase the likelihood of approval by the higher-ups, we really need to eliminate all perceived security holes.  

Although preauthentication helps some, Kerberos version 5 is susceptible to offline, brute force, password attacks on the initial AS-REQ.  I saw some discussion about this from a few years ago in the archives, but nothing recently.  Is there a solution to this issue yet?  If not, what progress has been made, and what direction is being taken?  I do have some familiarity with MIT Kerberos source code internals, having interfaced some the library's low-level profile and DNS SRV functions to hack out support for Microsoft's extended version of DNS SRV.   Depending on how big the task is, I might be able to spend some time at work to code a solution.


Kerberos mailing list           [hidden email]