[1964] in Kerberos
Re: kerberos & novell
daemon@ATHENA.MIT.EDU (Stephen C. Trier)
Mon Jun 8 15:35:04 1992
Date: 8 Jun 92 18:52:31 GMT
From: trier@slc6.ins.cwru.edu (Stephen C. Trier)
To: kerberos@shelby.Stanford.EDU
In article <1992May27.001540.10218@novell.com> keith@novell.com (Keith Brown) writes:
>Being such a Joe, I could FTP it over from MIT now, change a few lines
>of code, insert a back door or two and unleash my kludgery upon an
>unsuspecting planet. Is this what you would wish your bank to be using?
I don't think this is a good time to be trying to claim superior NetWare
security. :-) I seem to remember just last week running about trying to
get information on a major security hole in your network operating systems.
Think about that hole: It involved leaving certain fields of a login packet
blank, then sending the packet several dozen times to a file server. Why
couldn't the same bug affect your RSA-based system? Likewise, why couldn't
it affect a Kerberos application?
In other words, suppose the authentication system arrives as a perfectly
secure black box. There is no way to guarantee there are no back doors,
since the back doors might be in the code that interfaces to the black box.
Unless the entire server is the black box, there will _always_ be interface
code. :-)
You cannot trust any system more than you trust the ethical and technical
skills of its authors, period. I don't trust Novell's programmers any more
than MIT's, and that means that I can't trust your "RSA" system any more
than Kerberos.
Now, wishlist time and ObKerberos:
I would like to see a Kerberized NetWare. Specifically, I would like to
be able to extend our campus-wide Kerberos realm to our campus NetWare
servers, letting us give our users just one consistent user ID and password,
whether using TCP/IP or NetWare.
There's little hope for this, though, and I know it's kind of an esoteric
need. I did say it was a wishlist. :-)
--
Stephen Trier Dumb error message of the month:
CWRU IRIS/INS "Mar 1 18:07:18 ziggy xntpd[65]: Clock appears to
trier@ins.cwru.edu be 86398 seconds slow, something may be wrong"
