[1929] in Kerberos
Change Passwords - Literature ?
daemon@ATHENA.MIT.EDU (Ralf Hauser)
Tue May 26 15:04:21 1992
Date: 26 May 92 18:21:53 GMT
From: ralf@eecg.toronto.edu (Ralf Hauser)
To: kerberos@shelby.Stanford.EDU
During my research on password security and authentication,
I started to wonder why there is so much work done on
initial authentication of a principal to a terminal/workstation, but
almost nothing about the in my opinion as sensitive change
of passwords:
- as far as I understand passwd sends the passwords in
clear over the communications link
- as the /etc/passwd file doesn't remember old passwords,
how would a protocol even encrypting the passwd
messages react if an intruder intercepts either the
change request or the acknowledgement from the
authentication server as to prevent the occurence of
inconsistent data between the user and as ?
- ...
So, does e.g. Kerberos provide a solution for those problem or
are there other approaches I missed to find ? Any pointers are highly
appreciated !
Thanks Ralf
ralf@hub.utoronto.ca
