[67] in linux-security and linux-alert archive
Re: Shadow discussions ... don't forget skey
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Mar 8 17:39:34 1995
Date: Wed, 8 Mar 1995 15:15:37 +0500
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: linux-security@tarsier.cv.nrao.edu
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Tom Dunigan 576-2522's message of Wed, 8 Mar 1995 07:39:23 -0500,
<199503081239.HAA09293@thdsun.epm.ornl.gov>
Reply-To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 8 Mar 1995 07:39:23 -0500
From: Tom Dunigan 576-2522 <dunigan@thdsun.epm.ornl.gov>
Strong passwords, shadowed, and kerberized are still vulnerable
^^^^^^^^^^
to sniffer attacks. You should consider one-time passwords
if you have users logging in to your linux boxes from
remote sites (e.g., universities). Hackers have elegant
sniffer programs that capture clear text passwords off
LANs.
You obviously have no idea how Kerberos works. Kerberos is designed
such that you never need to send clear text passwords across the
network. Instead, you have a central authentication server which you
must keep physically (and logically) secure. When you login to a
workstation, the Kerberos server sends you your Kerberos credentials
(which are cryptographic objects), encrypted in your login password.
These credentials are then decrypted by your workstation if you can
supply your kinit (or login) program with your correct login password.
These credentials can then be used by a Kerberized telnet (or rlogin)
client to securely login to a remote machine without ever needing to
type your password over the network.
- Ted
