[5450] in Kerberos
Re: check passwords
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat Jul 1 15:04:08 1995
To: hfalken@x4u2.desy.de (Harald Falkenberg)
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "30 Jun 1995 11:48:08 GMT."
<HFALKEN.95Jun30134808@x4u2.desy.de>
Date: Sat, 01 Jul 1995 14:53:48 EDT
From: Sam Hartman <hartmans@MIT.EDU>
>>>>> "Harald" == Harald Falkenberg <hfalken@x4u2.desy.de> writes:
Harald> Is there a possibility to check k-passwords against
Harald> another? My problem is to authorize a person to run a
Harald> command in a perl script if his password (coming from
Harald> STDIN) matches the k-password belonging to his account. In
Harald> general I can crypt the input and compare it to the entry
Harald> in the passwd file. But how can it done under k.
In many cases, if you find it necessary to do this, you're
doing something wrong; under the Kerberos environment, users should
only be expected to type their password once at login and when they
want to change their password. Creating other applications that ask
for the password only increases the effectiveness of social
engineering against your security.
Assuming that your situation actually requires verification of
the Kerberos password, why not just set KRBTKFILE to some dummy file,
run kinit, check the exit status, then kdestroy the file? Be sure to
set PATH to a trusted value so the user can't substitute their own
kinit.
--Sam
