[4450] in Kerberos
"Kerberos" at Usenix (WAS Re: GNU tape making at Winter USENIX?)
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Sat Jan 7 23:08:42 1995
To: kerberos@MIT.EDU
Date: 8 Jan 1995 03:59:29 GMT
From: tls@cloud9.net (Thor Lancelot Simon)
In article <D22C34.GpF@acsu.buffalo.edu>,
Gretchen Phillips <gretchen@acsu.buffalo.edu> wrote:
>
>I thought a statement about the Terminal Room services might
>be of interest.
>The terminal room will be open 7:30am-2am Monday-Thursday
>and 7:30-2pm Friday. It will be closed for the Keynote and
>for the reception on Thursday.
>
>In article <D2258y.7z4@icus.com>, Lenny Tropiano <lenny@icus.com> wrote:
>>As in previous years, will there be a machine there for GNU Tape making and
>>possibly other distributions?
>>
>Yes.
>
>>What media will be supported? (4mm? 8mm? 1/4" thanks)...
>>
>Right now I have a firm commitment for 8mm and QIC150. 4mm is
>likely but I'll only know for sure when I arrive and see the
>equipment that has been shipped. I don't know how easy it is
>to locate a computer store in the area that we will be located
>so if you want to make tapes it is probably smart to bring blanks
>with you rather than trying to by them when you get there.
>
>The terminal room will have 4 Sun SS10. One for nameservice,
>printing and mail to firstname_lastname that will be printed
>and posted to the message board. One for making
>tapes of public software, and two for Kerberized logins.
>
>Cygnus Support is providing a Kerberos installation and support.
Perhaps this would be a good time to suggest that enough planning be applied to
the Kerberos installation this time around to avoid the complete lack of
security -- and, worse, evident promise of security which proved to be
completely ficticious -- which was delivered by the "Kerberos installation
and support" at last summer's Usenix.
This is _not_ a swipe at Noah; it was blindingly obvious that he got stuck
implementing a almost completely unplanned Kerberos installation which he
hadn't had any time to learn very much about. This _is_ a request that a number
of reasonable things happen, such as:
All relevant security patches be applied to the machines running Kerberos
All inbound services be turned *off* on the machines running Kerberos
Only one person at a time be allowed to use the machines running Kerberos
For those who don't know, last time out, the "Kerberos installation" consisted
of slapping CNS Kerberos onto the Sun workstations which were also being used
as inbound mail servers and general-purpose play-with-this-workstations -- and
which were running out-of-the-box SunOS 4.1.3 without even the sendmail patch
applied -- and telling people to telnet to the workstations and log in as
"kerberos" or something like that in order to kinit.
Of course, everyone was logging in as the same user, so everyone could use
each others' keys; even if that had been fixed, the utter lack of security
on the machines in question and the fact that they were taking _every_ kind
of inbound connection was a recipe for disaster; even had that been fixed,
people were actively being encouraged to log into the Suns from the NCD
X terminals, across an Ethernet which would likely have gotten their Kerberos
passwords sniffed anyway.
The eventual "solution", asking people to only use Kerberos from the consoles
of the workstations and at their own risk, was a nonsolution for a number of
reasons, particularly because the utter nonsecurity of the machines was just
*begging* for a trojan version of kinit to be installed.
Luckily, most of the people who probably would have used kinit at the last
Usenix noticed some or all of these problems, and I don't believe any passwords
were compromised.
A lot more people seem to be using Kerberos now, however, and I suspect that
a far lower proportion of them understand how it works. A far more secure
Kerberos installation should be planned and executed, or the entire
fancy-buzzword-promise should be scrapped.
One would think that the Usenix board, of all possible groups of people, would
understand that false security is much, much worse than no security at all.
<bobbitt>
>Xterminals will be provided by Tektronix.
The Right Thing to do, of course, would be to get the X terminal vendor to
supply versions of kinit and various Kerberized binaries like telnet linked
against their run-time library. _That_ would be substantially difficult to
tamper with.
<bobbitt>
>Please remember, don't forward your mail to conference.usenix.org.
>Our mail printing service is just for getting messages.
I hope and pray that this time it's *not* running on one of the "Kerberos"
machines.
--
Thor Lancelot Simon tls@cloud9.net
Somewhere they're meeting on a pinhead, calling you an angel.
