[4330] in Kerberos
Re: request for commentary on krb IV server mod
daemon@ATHENA.MIT.EDU (John Hascall)
Tue Dec 13 11:12:15 1994
To: kerberos@MIT.EDU
Date: 13 Dec 1994 15:36:27 GMT
From: john@iastate.edu (John Hascall)
Phi H Truong <orion@iastate.edu> wrote:
}Daniel G. Pouzzner <douzzer@prez.mit.edu> wrote:
}>I've just modified our kerberos servers to disable the inet_addr
}>matching performed by krb_rd_req(). This allows us to have tickets
}>(and AFS tokens) automatically set up when we telnet. I am of the
}>opinion that the inet_addr checking offers no real additional
}>security.
}I can see ticket forwarding as a plus for doing rsh or rcp but not for
}other things like telnet or rlogin.
The presumed benefit to TGT-forwarding for telnet is that
you need not type your password across an unsecure net-connection.
However, if you've disabled the address checking, and just sent
a TGT across the wire, haven't you just given the snooper something
just about as good as a cleartext password?
John
--
John Hascall ``An ill-chosen word is the fool's messenger.''
Systems Software Engineer, ISU Comp Center + Ames, IA 50011 + 515/294-9551
