[1676] in Kerberos
Kerberos and Trojan Horses
daemon@ATHENA.MIT.EDU (Bruce Barnett)
Wed Dec 18 14:38:16 1991
Date: 18 Dec 91 18:54:54 GMT
From: barnett@grymoire.crd.ge.com (Bruce Barnett)
Reply-To: barnett@crdgw1.ge.com
To: kerberos@shelby.Stanford.EDU
Forgive me if this is an old subject.......
I am wondering how Kerberos protects itself from Trojan horses.
If the root password is known, then someone could replace the login
program with one that captures passwords. This could be done with
every public workstation, I guess.
As far as I can figure, the only protection is to
a) prevent someone from becoming root on the workstation.
b) rebooting the workstation when you walk up to it, and
downloading the software from a server.
c) walking around with a disk containing "trusted" software.
MIT doesn't care about 'a', I guess. What percentage of people use
technique 'b', and how long do they have to typically wait?
It seems possible to capture a large number of passwords in a short
period of time. Has this been attempted?
--
Bruce Barnett <barnett@crd.ge.com> uunet!crdgw1!barnett
