What are the risks of using ms2mit to create an API: ccache? What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?
I’m interested in setting up ssh ticket forwarding with PuTTY + the MIT gss DLL provided by KfW (4.1) without having to deal with setting unconstrained delegation trusts on the target hosts’ AD objects. It seems that using Kerberos for Windows with an API: ccache allows me to accomplish this, but now I’m concerned that I may be opening myself up to potential client-side risks which I will need to document and manage somehow.
I’ve searched the mailing list archives about this, but mostly the discussions are about getting things to work vs. the potential consequences once they do.
On 9/17/19 8:31 AM, John Devitofranceschi wrote:
> What are the risks of using ms2mit to create an API: ccache? What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?
My best understanding is that, for a user account with administrator
privileges, a process with access to a TGT can escalate privilege
without a UAC prompt. This risk would apply regardless of whether the
TGT is obtained from the native LSA ccache or if it was stored in an API
or FILE ccache.
Kerberos mailing list [hidden email] https://mailman.mit.edu/mailman/listinfo/kerberos