[1715] in Kerberos
Re: protocol question
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Thu Jan 16 13:06:44 1992
Date: Thu, 16 Jan 92 11:56:04 EST
From: sommerfeld@apollo.com (Bill Sommerfeld)
To: marantz@cs.rutgers.edu
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: marantz@cs.rutgers.edu's message of Thursday, January 16, 1992 11:08:18 am (EST)
Date: Thursday, January 16, 1992 11:08:18 am (EST)
From: marantz@cs.rutgers.edu
I was hoping to have pwdauthd talk to the TGS using the pwdauthd
ticket and ask for a TGT for the user by supplying the user's
password. I think this could be used to replace the whole procedure
mentioned above.
Nope, because someone spying on the network would see you send the
password "in the clear" to the TGS.
Assuming you just want to do a password check, and never again want to
use kerberos (which is somewhat foolish), what you *can* do to save
one step is to send an AS request for a ticket for
rcmd.<your-hostname> (instead of a TGT); you can then verify that
ticket yourself (since you have the key for rcmd.<your-hostname>).
- Bill
