[282] in linux-security and linux-alert archive
Re: Secure Distributed Password System?
daemon@ATHENA.MIT.EDU (Raul Miller)
Fri Jul 7 20:33:39 1995
Date: Fri, 7 Jul 95 12:05 GMT
From: rdr@legislate.com (Raul Miller)
To: linux-security@tarsier.cv.nrao.edu
In-reply-to: <2FFD6E04@smtpgw.legislate.com> (RDMiller@legislate.com)
Alex:
> Assuming that clients are diskless and/or there are Xterminals or
> just terminals attached to the network, I think that Kerberos is
> not a solution because:
>
> a) Bootp protocol is not kerberos aware i.e. it is a subject of
> spoofing
> b) Duing the login procedure packet sniffer will pickup a password
Alan Cox:
Diskless clients are ok - the snooper will see the nfs load of the
program not the password. Xterminals are.
Bootp doesnt matter. Someone can spoof bootp information, they can
even get a new machine on the net. They still have to know their
kerberos password to go any further.
Bootp matters.
The problem is not spoofing of a bootp client, but spoofing a bootp
server. Here, you can have corrupt code running resulting in a
non-secure environment into which you would inject a Kerberos
password.
Voila, instant compromised password.
--
Raul Miller
