[575] in Kerberos
Re: password checking
daemon@TELECOM.MIT.EDU (smb@RESEARCH.ATT.COM)
Sun Jan 8 22:10:23 1989
From: smb@RESEARCH.ATT.COM
To: chariot@ATHENA.MIT.EDU
Cc: Saltzer@ATHENA.MIT.EDU, jis@ATHENA.MIT.EDU, kit@ATHENA.MIT.EDU,
As far as Athena goes, shadow files can not be added to
Kerberos. (The attacker can merely steal a pervious login session and
keep trying guesses as long as he wants without talking to kerberos.
Not quite correct. A major purpose of shadow password files is to
prevent ``fishing'' -- trying to find a single weak password. Stealing
a single login session lets you attack one password; it doesn't tell
you if there's a maintenance account with no password, or some such.
--Steve Bellovin
