[23491] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Six Kerberos/OS X/SSH observations and questions

daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Fri Mar 4 18:44:42 2005

In-Reply-To: <200502281702.j1SH24hA030886@pch.mit.edu>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <ebb7203d094cbec7de7bd85f9a5d53e7@jpl.nasa.gov>
Content-Transfer-Encoding: 7bit
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 4 Mar 2005 15:43:53 -0800
To: kerberos@mit.edu
cc: ylee@pobox.com
Errors-To: kerberos-bounces@mit.edu


On Feb 28, 2005, at 9:02 AM, kerberos-request@mit.edu wrote:

> 6) The general advice I see on the issue of whether the NetInfo and
> Kerberos passwords should match is that this is a bad idea. Why? In
> scenario 5) (or scenario 4 without network connectivity) I would think
> I'd *prefer* to only have one password to remember that will work
> whether the login process succeeds in connecting to a KDC or instead
> falls over to NetInfo (Or is the other way around?). I'd also prefer
> that when I change my Kerberos password my NetInfo password also
> changes, and perhaps even vice versa. What are the horrible downsides
> to such password synchronization?

Depends on how concerned you are with the possibility of someone  
cracking netinfo and then using the password to infiltrate the  
Kerberized services.  I haven't tracked all the issues but I don't  
think netinfo is considered that secure.  At the least it needs to be  
set up correctly to be secure.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post