[4847] in Kerberos
Dueling Books
daemon@ATHENA.MIT.EDU (William C. DenBesten)
Tue Mar 21 11:35:38 1995
To: kerberos@MIT.EDU
Date: Tue, 21 Mar 1995 11:16:21 -0500
From: denbesten@cs.bgsu.edu (William C. DenBesten)
I've been reading up on Kerberos with the idea of possibly implementing it
on my Sun workstations. In the process, I came across the following
passage:
Unfortunately it [Kerberos] is plagued with holes ... passwords which
are stored in plain text on the authentication server.
"Unix System Administraton Handbook, second edition"
This is a book that I generally trust, but I can not believe that Kerberos
would keep clear text passwords around. Further reading yields:
Actually, the initial ticket that the Kerberos Server sends your
workstation is encrypted with a 56-bit number that is derived from
your password using a one-way cryptographic function. Kerberos uses
encrypted passwords for the encryption ... [to reduce] the damage that
would occur if the Kerberos master password file were somehow stolen
by an attacker.
"Pratical Unix Security"
This quote sems like a much more reasonable approach to me. Please tell
me that the first book is incorrect, or at least that it is discussing a
significantly older version of Kerberos.
The second quote implies that the passwords are stored on the server using
crypt(). If so, does there exist a program which would convert from
/etc/password to a kerberos password database. If it does not exist, is
this a program which is technically feasable to write?
--
William C DenBesten is denbesten@cs.bgsu.edu or bgsuopie.bitnet