Kerberos - tampering with ticket cache
843811Apr 2 2004 — edited Dec 21 2007Hello,
sorry if this is allready posted here, I couldn't fing it.
I'm using the Kerberos ver.5 Login Modul in JAAS to authenticate users (Java version is 1.4.2). I'm also using SSO mechanisms of Kerberos, so with kinit I make a ticket for myself into the ticket cache and I'm using it withou re-contacting the KDC nor requiring password again.
But I just find out, that when I take a HexEditor, and edit the ticket cache, I could easily change my name in that ticket (eg. to "admin" or other). After this the JAAS Login Modul does not recognize the change, and yells "admin" succesfully logged in. Now letting anybody work with admin privileges is not what I dreamed about! This is not the bug that I can live with!
Is there any method to recognize that the Ticket Cache was tampered with? Or any other suggestions?
Thanks in advance