[6432] in Kerberos
Re: Performance of CNS vs. AFS kaserver?
daemon@ATHENA.MIT.EDU (Richard Basch)
Thu Jan 4 18:36:30 1996
Date: Thu, 4 Jan 1996 18:16:39 -0500
To: John Gardiner Myers <jgm+@CMU.EDU>
Cc: kerberos@MIT.EDU
In-Reply-To: <Ikv1D1G00WBwA11nlN@andrew.cmu.edu>
From: "Richard Basch" <basch@MIT.EDU>
Of course, the administrative creation of the authentication database
leaves it vulnerable unless it is isolated and has a lot of activity.
I don't think *ANYONE* has ever fixed the problem where the initial
master keys used by the kaserver are predictable, and can be used to
compromise the database. After all, they are simply a hash of the time
and process id, and knowning the approximate creation time of the
database makes a brute-force attack quite doable.
It is only when the cell goes unobserved over a long period of time and
the cell receives lots of authentication requests that the keys are
re-randomized, and over time, this will yield better security, if and
only if nobody has compromised a previous key and observed the system
since.
Creation of a KDC should always use some true secret or a good random
source, of which the kaserver does neither.
-Richard
On Thu, 4-January-1996, "John Gardiner Myers" wrote to "kerberos@MIT.EDU" saying:
> harris@email.unc.edu (Trey Harris) writes:
> > We're moving our campus email system, which currently has 27,000 users, to
> > a new system for performance reasons.
>
> Have you looked at what the Cyrus project is doing?
> http://andrew2.andrew.cmu.edu/cyrus
>
> > Since getting Kerberos authentication for our terminal servers and other
> > authentication needs has been on our to-do list for awhile, we've been
> > investigating using CNS instead of the Transarc AFS Authentication Server
> > (kaserver). Since AFS 3.3 and 3.4 include Kerberos ".krb" equivalents of
> > many AFS commands (including a login.krb that will get a Kerberos ticket
> > and AFS token at login time), the process looks less onerous than it
> > might have been in the past.
>
> The ".krb" versions are useful for getting MIT/CNS clients to use the
> Transarc server, not the other way around. To use a MIT/CNS server,
> you would have to use a MIT/CNS login and other clients. You'd have
> to modify the clients (or use aklog) to install an AFS token in the
> kernel.
>
> One of the bigger advantages of the kaserver are the much improved
> administrative interfaces. One of the biggest disavantages is that
> none of the administrative clients (kas, kpasswd) that Transarc
> distributes handle the MIT string-to-key.
>
> --
> _.John G. Myers Internet: jgm+@CMU.EDU
> LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
