Using ms2mit...risks?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Using ms2mit...risks?

John Devitofranceschi-2
What are the risks of using ms2mit to create an API: ccache?  What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?

I’m interested in setting up ssh ticket forwarding with PuTTY + the MIT gss DLL provided by KfW (4.1) without having to deal with setting unconstrained delegation trusts on the target hosts’ AD objects.  It seems that using Kerberos for Windows with an API: ccache allows me to accomplish this, but now I’m concerned that I may be opening myself up to potential client-side risks which I will need to document and manage somehow.

I’ve searched the mailing list archives about this, but mostly the discussions are about getting things to work vs. the potential consequences once they do.

Any pointers appreciated.



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Using ms2mit...risks?

Greg Hudson
On 9/17/19 8:31 AM, John Devitofranceschi wrote:
> What are the risks of using ms2mit to create an API: ccache?  What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?

My best understanding is that, for a user account with administrator
privileges, a process with access to a TGT can escalate privilege
without a UAC prompt.  This risk would apply regardless of whether the
TGT is obtained from the native LSA ccache or if it was stored in an API
or FILE ccache.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos