[23491] in Kerberos
Re: Six Kerberos/OS X/SSH observations and questions
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Fri Mar 4 18:44:42 2005
In-Reply-To: <200502281702.j1SH24hA030886@pch.mit.edu>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <ebb7203d094cbec7de7bd85f9a5d53e7@jpl.nasa.gov>
Content-Transfer-Encoding: 7bit
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 4 Mar 2005 15:43:53 -0800
To: kerberos@mit.edu
cc: ylee@pobox.com
Errors-To: kerberos-bounces@mit.edu
On Feb 28, 2005, at 9:02 AM, kerberos-request@mit.edu wrote:
> 6) The general advice I see on the issue of whether the NetInfo and
> Kerberos passwords should match is that this is a bad idea. Why? In
> scenario 5) (or scenario 4 without network connectivity) I would think
> I'd *prefer* to only have one password to remember that will work
> whether the login process succeeds in connecting to a KDC or instead
> falls over to NetInfo (Or is the other way around?). I'd also prefer
> that when I change my Kerberos password my NetInfo password also
> changes, and perhaps even vice versa. What are the horrible downsides
> to such password synchronization?
Depends on how concerned you are with the possibility of someone
cracking netinfo and then using the password to infiltrate the
Kerberized services. I haven't tracked all the issues but I don't
think netinfo is considered that secure. At the least it needs to be
set up correctly to be secure.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos