On Fri, 2014-08-29 at 14:54 +0100, John Hodrien wrote:
On Fri, 29 Aug 2014, Simo Sorce wrote:
> Although if one of the machines is compromised, now you can fool the
> others, still better than no validation at all.
If I give you a null/unused.hostname@DOMAIN credential in a keytab, what can
you fool?
If you use the same keytab on multiple machines and one machine is
compromised (and the keytab stolen) then I can impersonate a fake KDC
against the other machines using the same keytab for validation.
That's all.
Simo.
--
Simo Sorce * Red Hat, Inc * New York