[32454] in Kerberos
Re: clear text password used
daemon@ATHENA.MIT.EDU (Weijun Wang)
Thu Jun 10 10:19:56 2010
MIME-version: 1.0
Date: Thu, 10 Jun 2010 22:18:45 +0800
From: Weijun Wang <Weijun.Wang@sun.com>
In-reply-to: <108405.5559.qm@web53501.mail.re2.yahoo.com>
To: Kevin Longfellow <klongfel@yahoo.com>
Message-id: <EF28A1D0-1E50-479F-9B02-E36787C7A328@sun.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jun 10, 2010, at 9:58 PM, Kevin Longfellow wrote:
>
> Hi,
>
> After reading the Aims section at http://www.kerberos.org/software/tutorial.html, it states the users password must never travel over the network. Take for example using LDAP as the back end for the principals. For a security review, I need to understand the path of the clear text password:
>
> user runs kinit - this is the only time the password is entered in clear text?
Yes.
>
> kinit uses the string2key function to create a hashed encrypted key that replaces the password?
Hashed, but not encrypted.
>
> The hashed encrypted key is sent to the kdc and the kdc uses this hashed encrypted key to check the original password is correct in LDAP?
NO! the key is never sent on the wire, neither plain or encrypted. Client and KDC simply send encrypted content (encrypted with this key) back and forth so that each side can be assured that the other side knows this key.
Max
>
> Hopefully I'm being clear what I am asking, but basically this question will come up: will the clear text password ever be sent to the LDAP back end and possibly cached and therefore compromised.
>
> Thanks for any assistance with this,
>
> Kevin
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
