[5664] in Kerberos
Re: authentication secure?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Aug 10 21:23:20 1995
To: jwb@wilbur.hhisland.com (Joe Beiter)
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "10 Aug 1995 09:14:14 EDT."
<40d0n6$2ar@wilbur.hhisland.com>
Date: Thu, 10 Aug 1995 12:21:43 EDT
From: Sam Hartman <hartmans@MIT.EDU>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Joe" == Joe Beiter <jwb@wilbur.hhisland.com> writes:
Joe> If I have someone logging into a router and that router is
Joe> doing authentication via Kerberos to a kerberos server... is
Joe> that dialog "secure"? Is it encrypted?
Security is a relative term; so, I will attempt to analyze
several possible situations; I'm not familiar with your router, so I
can't really comment for sure on whether it's encrypted although I can
tell you how to find out.
* User dials into router over telephone line, uses Kerberos to
authenticate, typing their password when the router prompts. The KDC
exchange between the router and the Kerberos server is encrypted (at
least, the interesting parts), but the conversation between the modem
and phone line is *not* encrypted. This means that if I tap the phone
line, or something, I get the password. This is probably somewhat
secure; it depends on how much you trust your phone lines, and on
whether it is really phone lines involved instead of some other system
connected to a protocol translator or something.
* The router performs Kerberos authentication to a remote service on
behalf of a user, and the user doesn't type their password to this
host. This depends a lot on the protocol involved. Try connecting to
a Unix host, and see what port you come in on; if it's eklogin, then
the session is almost certainly encrypted. If it's telnet, try
looking at the telnetd man page and enabling authentication debugging
so you can see what's going on and see if the router enables
encryption.
* An administrator remotely logs into a router using a Kerberized
application. If you used rlogin, the session is encrypted if you use
- -x; if you use telnet, it's encrypted if you use -ax and an encrypt
status command (at the telnet> prompt) shows it is encrypting.
Note that a session that is not encrypted is (somewhat)
secure. If you have the option of encrypting sessions, do so.
However, the authentication exchange is still fairly secure
(especially under V5) if you don't encrypt. However, any subsiquent
passwords you might type )root password for su, etc) are not encrypted
unless the session is encrypted. Also, note that using an unencrypted
rlogin or telnet to a system, then running kinit on that system buys
you absolutely nothing in terms of security.
I think I recall that you use Kerberos4, so this isn't an
issue for you, but the telnet distributed with Kerberos5 beta 5
doesn't compile in encryption support as distributed; so, if you use
Kerberos5, you should try to use rlogin -x if possible instead of
telnet.
- --Sam
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBMCojaUJYVPVo3rXRAQFrXwf9FX9+Avi+u3zci9GY01I+EHKr2v8AlC0J
rFIRQlFsv1RHN0UeHwznzkrnse3WWrAEbIaDMGXmBVyPj9wW64N7e4Qz/b7UxTYc
RZ/Bnww5ZKZ5y9ROQCCGgbKwBML5+XWgRVcmPoI/JNJhQU4pJXJ6Jie6Rk5F+WfD
oV33k5DbqK0lYAECux9ZywRxqF66JAw3ClRmr3JpYsKJoqyrV/GaZJKD8Ovk2bFx
nlEGNtWzZeMo6ArZFGLDYu8jEWSAt1ChF5cyZxZx86nilFQ05BZyxmC9bgKp6IGk
CE2zgNB3lnHtK07746zf7CBOgm/iOZbCvJcDlUmjF2WW2DZBNA8qNA==
=s20y
-----END PGP SIGNATURE-----
