[573] in Kerberos
central password checking
daemon@TELECOM.MIT.EDU (Mark Lillibridge)
Sun Jan 8 20:26:00 1989
From: Mark Lillibridge <chariot@ATHENA.MIT.EDU>
To: Saltzer@ATHENA.MIT.EDU
Cc: jis@ATHENA.MIT.EDU, kit@ATHENA.MIT.EDU, mar@ATHENA.MIT.EDU,
In-Reply-To: Jerome H. Saltzer's message of Sun, 8 Jan 89 01:00:51 EST <8901080600.AA09155@HERACLES.MIT.EDU>
Reply-To: chariot@ATHENA.MIT.EDU
There is one major problem with this approach: it involves a
large loss of security. Suppose I manage to learn Jerry's password.
(i.e., I look over his shoulder or whatever). I hack his account. He
quickly then changes his password so he can't be hacked anymore. That's
what he thinks... Actually, I've been watching the net and see his
password change request go by with the new password embedded in it
(remember there is *no* way to prevent me from reading it because the
only secret Jerry and kerberos share is his old password which I also
have...).
Now I have his new password as well and proceed to continue
hacking him. The only way he can get relief is to have Jeff involve
wizard level magic on the kerberos server to manually set his password.
If Jeff didn't already know Jerry, this would mean he would have to
travel to Jeff's office and provide proof of identity to Jeff. A time
consuming process to say the least.
Note that this implies that if someone ever believes his
password has been compromised or might have been (how many times have
you thought someone might have seen your password?), he must perfrom the
above procedure to be totally safe. Consider the past scare when
everyone was forced to change their root passwords. Are we prepared to
have telcom provide a password changing service for 10-30 people a day?
I thought not.
This scheme is unworkable for this reason. The best approach
would be to provide a library routine, valid_password, which would be
called by passwd, kinit, login, and the like. Note that since login
also would call this routine, simply hacking passwd to remove the
restrictions will not premit logging onto another machine with an
invalid password, thus providing incentive not to bypass the
restrictions.
- Mark
