[1006] in Kerberos
RE: Why is initial user authentication done the way it is?
daemon@ATHENA.MIT.EDU (bede@linus.mitre.org)
Fri Jun 15 00:25:28 1990
Date: Thu, 14 Jun 90 23:43:18 -0400
From: bede@linus.mitre.org
To: smb@ulysses.att.com
Cc: kerberos@ATHENA.MIT.EDU, bcn@cs.washington.edu, mischu@allegra.att.com
In-Reply-To: smb@ulysses.att.com's message of Thu, 14 Jun 90 21:24:14 EDT <9006150124.AA14075@ATHENA.MIT.EDU>
Posted-Date: Thu, 14 Jun 90 21:24:14 EDT
From: smb@ulysses.att.com
Date: Thu, 14 Jun 90 21:24:14 EDT
[ . . . ]
Support for optional extensions should be included. In
particular, an option to protect against dictionary attacks on
/etc/passwd may be a desirable extension.
[ . . . ]
At the risk of carrying the discussion off on a tangent: the issue of
dictionary-based password attacks is, at many sites, moot. For
example, we've rigidly enforced a rule here for about two years
prohibiting dictionary and various other "trivial" passwords for user
logins. The muscle behind the policy is provided by a rather simple
password cracker I wrote, plus a modified version of passwd (and Real
Soon Now, kpasswd).
In a sense, support for extensions is already in Kerberos, just as it
is for passwd, assuming you have the source code. In our case, aside
from the locally-produced lookup code, the total modification to
(k)passwd amounts to less than 50 lines, but could be *much* less than
that, of course.
Regardless of the merits of the encryption/authentication scheme used,
it just makes sense to discourage trivial attacks right from the start,
if at all possible.
-Bede McCall
Research Computing Facility
MITRE Corp. Internet: bede@mitre.org
MS A114 UUCP: {decvax,philabs}!linus!bede
Burlington Rd.
Bedford, MA 01730 (617) 271-2839
