[1895] in Kerberos
Re: kerberos with no encryption
daemon@ATHENA.MIT.EDU (Alfred I. Anderson)
Thu May 7 15:29:35 1992
Date: 7 May 92 17:46:22 GMT
From: anderson@mayo.edu (Alfred I. Anderson)
To: kerberos@shelby.Stanford.EDU
In article <9205062335.AA03159@mls1.HAC.COM> todd@MLS1.HAC.COM (Todd Matthews) writes:
>I compiled kerberos originally with NOENCRYPTION since the DES library
>was not present and also to make it easier to debug.
>When I finally got kerberos up and running I started to test it. I was
>able to use KINIT with the wrong password and still get a ticket. Then it
>let me log on to the remote server (all without using the proper kerberos
>password!!). We think this is because the password i snot actually
>checked, it is used to encrypt the ticket. Since the there is no
>encryption the ticket will always be valid, regardless of the password.
>You have probably found this out yourself, but it seems that with no
>encryption kerberos is wide open, and probably can not be used.
>Todd Matthews
>Phone: (714) 732-7240
>EMail: todd@mls1.hac.com
>PS: Is there any better installation documentation around anywhere?
Todd, I've never used Kerberos but I've read the specifications. Is what
you say True? If you don't use the encryption, Kerberos basically does
nothing? Surely you had to supply your initial name and password... did
the authentication server then respond properly with a ticket you could use
with the ticket-granting-server to obtain access to the desired resources?
If what you say is true (and I have no reason to doubt you), I'm shocked!
(PS - if a kerberos expert reads this, could you reply in public?)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Alfred Anderson Internet: anderson@Mayo.edu
Mayo Foundation
-----------------------------------------------------------------
