[4903] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Proposal for a SmartCard-Kerberos Implementation

daemon@ATHENA.MIT.EDU (Mike Muuss)
Sat Apr 1 02:01:58 1995

Date:     Fri, 31 Mar 95 19:19:10 EST
From: Mike Muuss <mike@arl.mil>
To: "Donald T. Davis" <don@cam.ov.com>
Cc: John Hascall <john@iastate.edu>, kdrenard@arl.mil, kerberos@MIT.EDU


Donald Davis writes -

> i don't think securid integration matters that much, anyway;
> there are other, better solutions than securid for krb's
> problems.

OK.  How do you propose accessing a Kerberos-capable host (or bastion
machine, if you are into such) from a non-Kerberos machine, such as
when attending a conference or visiting at a University?  Or using
a PC to run regular TELNET?

Kerberos by itself is fine for machines within the realm, but as soon
as you need to enter the Kerberos realm from outside the realm, you can
_depend_ on everything being sniffed.  A single-use password (like
SecureID or S/Key) is a *must* to enter the realm, in that case.

By the way, an unencrypted telephone call is as likely to be sniffed as
an unencrypted InterNet session.  Don't make the mistake of assuming
that a laptop and a modem solves the problem.

If you have an alternative solution (commercial, public domain, or even
just theoretical), I'd love to hear about it!

	Best,
	 -Mike Muuss

	  Leader, Advanced Computer Systems Team
	  The U.S. Army Research Laboratory
	  APG, MD  21005-5068  USA

home help back first fref pref prev next nref lref last post