[4847] in Kerberos

home help back first fref pref prev next nref lref last post

Dueling Books

daemon@ATHENA.MIT.EDU (William C. DenBesten)
Tue Mar 21 11:35:38 1995

To: kerberos@MIT.EDU
Date: Tue, 21 Mar 1995 11:16:21 -0500
From: denbesten@cs.bgsu.edu (William C. DenBesten)

I've been reading up on Kerberos with the idea of possibly implementing it
on my Sun workstations.  In the process, I came across the following
passage:

   Unfortunately it [Kerberos] is plagued with holes ... passwords which
   are stored in plain text on the authentication server.

                       "Unix System Administraton Handbook, second edition" 

This is a book that I generally trust, but I can not believe that Kerberos
would keep clear text passwords around.  Further reading yields:  

   Actually,  the initial ticket that the Kerberos Server sends your
   workstation is encrypted with a 56-bit number that is derived from
   your password using a one-way cryptographic function.  Kerberos uses
   encrypted passwords for the encryption ... [to reduce] the damage that
   would occur if the Kerberos master password file were somehow stolen
   by an attacker.
                       "Pratical Unix Security"

This quote sems like a much more reasonable approach to me.  Please tell
me that the first book is incorrect, or at least that it is discussing a
significantly older version of Kerberos.

The second quote implies that the passwords are stored on the server using
crypt().  If so, does there exist a program which would convert from
/etc/password to a kerberos password database.  If it does not exist, is
this a program which is technically feasable to write?

-- 
William C DenBesten is denbesten@cs.bgsu.edu or bgsuopie.bitnet

home help back first fref pref prev next nref lref last post