[32453] in Kerberos
clear text password used
daemon@ATHENA.MIT.EDU (Kevin Longfellow)
Thu Jun 10 09:58:15 2010
Message-ID: <108405.5559.qm@web53501.mail.re2.yahoo.com>
Date: Thu, 10 Jun 2010 06:58:08 -0700 (PDT)
From: Kevin Longfellow <klongfel@yahoo.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
After reading the Aims section at http://www.kerberos.org/software/tutorial.html, it states the users password must never travel over the network. Take for example using LDAP as the back end for the principals. For a security review, I need to understand the path of the clear text password:
user runs kinit - this is the only time the password is entered in clear text?
kinit uses the string2key function to create a hashed encrypted key that replaces the password?
The hashed encrypted key is sent to the kdc and the kdc uses this hashed encrypted key to check the original password is correct in LDAP?
Hopefully I'm being clear what I am asking, but basically this question will come up: will the clear text password ever be sent to the LDAP back end and possibly cached and therefore compromised.
Thanks for any assistance with this,
Kevin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
