[4808] in Kerberos
Re: About password
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Wed Mar 15 13:30:15 1995
To: kerberos@MIT.EDU
Date: 15 Mar 1995 18:21:44 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
In article <3k6p9v$rq5@nms.telepost.no>, Fornavn Etternavn <fornavn.etternavn@saga.telemax.no> writes:
|> Does anyone know when the user is prompted for the password.
|> Is it before or after the initial ticket is send to the
|> Kerberos Authentication Server?
First of all, an initial ticket is not "sent to the Kerberos Authentication
Server" in order to authenticate a user. The user sends an initial-ticket
*request* to the AS, and in response, the AS sends an initial (a.k.a. ticket
granting) ticket to the user, encrypted in the user's key. The user's
password is turned into a key and used to decrypt the TGT, which is then
placed into the user's credential cache.
In Kerberos 4, the user was not prompted to enter his/her password until after
the request was sent to the AS and an encrypted TGT was received in response.
The reasoning behind waiting until then to prompt was two-fold: (a) If the
Kerberos server is down, there's no point in prompting for a password; it
won't be useable anyway; (b) It is good to keep the password in memory for as
short a time as possible, so that it is vulnerable there for as short a time
as possible; if the password is prompted for before the request is sent to
the AS, and the AS takes a long time to respond, then the password will remain
in memory for some time, vulnerable to people who have access to other
process' memory or if the program with the password in its memory core-dumps.
In Kerberos 5, however, the libraries were changed so that the password is
prompted for *before* the request is sent ot the AS. The primary reason for
this change was to enable pre-authentication based on the user's key -- the
client making the initial-ticket request needs access to the key in order to
generate the pre-authentication data to send to the AS.
|> If the user is prompted for both username (Login:) and password
|> (Password:) at the same time, where is the password stored?
In RAM or swap space, i.e., in the address space of the process doing the
prompting.
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com