[4903] in Kerberos
Re: Proposal for a SmartCard-Kerberos Implementation
daemon@ATHENA.MIT.EDU (Mike Muuss)
Sat Apr 1 02:01:58 1995
Date: Fri, 31 Mar 95 19:19:10 EST
From: Mike Muuss <mike@arl.mil>
To: "Donald T. Davis" <don@cam.ov.com>
Cc: John Hascall <john@iastate.edu>, kdrenard@arl.mil, kerberos@MIT.EDU
Donald Davis writes -
> i don't think securid integration matters that much, anyway;
> there are other, better solutions than securid for krb's
> problems.
OK. How do you propose accessing a Kerberos-capable host (or bastion
machine, if you are into such) from a non-Kerberos machine, such as
when attending a conference or visiting at a University? Or using
a PC to run regular TELNET?
Kerberos by itself is fine for machines within the realm, but as soon
as you need to enter the Kerberos realm from outside the realm, you can
_depend_ on everything being sniffed. A single-use password (like
SecureID or S/Key) is a *must* to enter the realm, in that case.
By the way, an unencrypted telephone call is as likely to be sniffed as
an unencrypted InterNet session. Don't make the mistake of assuming
that a laptop and a modem solves the problem.
If you have an alternative solution (commercial, public domain, or even
just theoretical), I'd love to hear about it!
Best,
-Mike Muuss
Leader, Advanced Computer Systems Team
The U.S. Army Research Laboratory
APG, MD 21005-5068 USA