[79] in linux-security and linux-alert archive
Re: Shadow discussions ... don't forget skey
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Mar 9 14:10:44 1995
Date: Thu, 9 Mar 1995 13:09:22 +0500
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: Tom Dunigan 576-2522 <dunigan@thdsun.epm.ornl.gov>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Tom Dunigan 576-2522's message of Thu, 9 Mar 1995 08:16:09 -0500,
<199503091316.IAA14731@thdsun.epm.ornl.gov>
Reply-To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 9 Mar 1995 08:16:09 -0500
From: Tom Dunigan 576-2522 <dunigan@thdsun.epm.ornl.gov>
NOT.
The assumption was logins from "remote" (uncontrolled and un-kerberized)
sites. Say you want to login in to your Kerberized client from
the floor of Interop or from a terminal server (or from a computer
at a location without Kerberos), your password will go in clear
text over the net .... bad news.
But then you're not using Kerberos to login to your workstation. You're
using plain telnet, or plain rlogin. My comments still apply that if
you're using Kerberos the way that it's intended to be used, your
Kerberos password is not subject to sniifer attacks. Your
characterization of Kerberos as being subject to sniffer attacks is what
I objected to.
If you expose your Kerberos password in a non-Kerberos context, then of
course it's vulnerable to attacks. There's nothing magic about the fact
that a password which is used with Kerberos that will protect it if you
expose it in a stupid fashion.
Talk to Jeff Schiller (jis@mit.edu) about his solution that combines
skey and Kerberos, making a clever use of Public Key in the process.
I'm very well aware of his proposed solution. Jeff and I work together
at MIT. I'm on member of Security Area Directorate within the IETF, and
Jeff is the Security Area Director, so he organized the SA Directorate.
FYI, I'm also managing the Kerberos development at MIT.
- Ted
[Mod: Let's please not get into an exhaustive debate/discussion on
Kerberos itself here, unless it relates somehow to Linux-specific
implementations. Thanks. --Jeff.]
