[2066] in Kerberos
Re: MacX and kerberos...
daemon@ATHENA.MIT.EDU (Tasuki Hirata)
Thu Jul 30 20:19:36 1992
Date: 31 Jul 92 00:44:38 GMT
From: sukes@eng.umd.edu (Tasuki Hirata)
To: kerberos@shelby.Stanford.EDU
> In article <1992Jul30.142315.9840@ncsu.edu>,
everette@ncsuvm.cc.ncsu.edu (Everette Allen) writes:
> |> rsh is not kerberized so I get "login incorrect" because, I think, the rsh
> |> is not looking in the Hesiod database to verify my password. Is this correct?
> |> If so where is the ftp archive for kerberized rshd (and ftpd, telnetd etc for
> |> that matter) ?? Now the security issue. IF I understand, any time that a
> |> Xserver passes a password *not a ticket* over the net it is insecure from a
> |> standpoint of kerberos. Is this true?
> As I understand things, yes this is true.
No, not quite right. MacX uses rexecd.
If you have your passwd file in the Hesiod database,
getpwnam is going to fail. Hence, the login incorrect.
> Perhaps worse yet is that
> (I'm guessing ) most people run MacX with access control turned OFF.
> So, they can easily be snooped.
Hmm. That's news to me. MacX prompts the user every time a X client
wants to connect to the server. I don't think most people are so
naive that they will allow any unexpected clients to connect.
I admit, it would be better if MacX showed more info on what type of
client is trying to connect to the server.
--
| Tasuki Hirata | "Hell, if you understand everything I say, |
| sukes@eng.umd.edu | you'd be me." -- Miles Davis (ca. 1967) |
| uunet!eng.umd.edu!sukes | ** Place Disclaimer Here ** |
