Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
holowoodman 6 days ago

An actually useful mitigation would be to use service keytabs instead of service passwords. Because with a keytab, the keytab is a file that just contains an AES128/256/RC4 key instead of a password, which makes it sufficiently hard to guess. The service just uses this file to decrypt its service tickets then.

However, keytab usage is rare in the Windows AD world because people don't seem to comprehend what a keytab is and does, and why it is far better than using passwords for services.

p_ing 6 days ago | parent | next [-]

Keytab usage is rare because the service you intend to run under that service account does not support keytabs.

There's also the knock-on effect of Kerberos being mostly hidden in Active Directory and creating keytabs requiring CLI tooling -- from way back when AD was a GUI only (mostly) affair for AD admins.

EvanAnderson 6 days ago | parent [-]

In my experience next to nobody knows about the CLI tooling for Kerberos in Windows. It's a damn shame, too, because Windows interops well w/ standard Kerberos in my opinion.

p_ing 6 days ago | parent [-]

The only time that I can remember having to use keytabs is with ISC DHCP.... at home.

No 3rd party AD-integrated software, of which there were plenty of non-MSFT stuff, did I ever have to create a keytab for when playing Domain Admin at work.

IrishTechie 5 days ago | parent [-]

I used them with MobileIron, that was it.

LikesPwsh 5 days ago | parent | prev [-]

Group Managed Service Account is a better option than keytab if you're assuming Windows Server/Active Directory.