[72] in linux-security and linux-alert archive
Re: Shadow discussions ... don't forget skey
daemon@ATHENA.MIT.EDU (Jeremy Fitzhardinge)
Thu Mar 9 08:58:14 1995
From: jeremy@sour.sw.oz.au (Jeremy Fitzhardinge)
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 9 Mar 1995 19:05:37 +1000 (EST)
In-Reply-To: <9503082015.AA00639@dcl.MIT.EDU> from "Theodore Ts'o" at Mar 8, 95 03:15:37 pm
Reply-To: linux-security@tarsier.cv.nrao.edu
Theodore T'so:
> Date: Wed, 8 Mar 1995 07:39:23 -0500
> From: Tom Dunigan 576-2522 <dunigan@thdsun.epm.ornl.gov>
>
> Strong passwords, shadowed, and kerberized are still vulnerable
> ^^^^^^^^^^
> to sniffer attacks. You should consider one-time passwords
>[...]
> You obviously have no idea how Kerberos works. Kerberos is designed
> such that you never need to send clear text passwords across the
> network.
This is true in theory, but there are situations where plaintext
passwords will still be passed over the network. For example, we
have X terminals on every desk which can't run anything locally.
Even if kerberos were installed there'd be passwords going between
the terminal and the CPU host. Of course, this is a failure in
implementation rather than in Kerberos, since it must be installed
to work end-to-end.
I think the point is that onetime password systems like skey
are end to end, regardless of the underlying connections.
J
