[6698] in Kerberos
Re: Is this a feature
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Mon Feb 19 14:03:47 1996
To: trier@odin.INS.CWRU.Edu (Stephen C. Trier)
Cc: hartmans@MIT.EDU (Sam Hartman), wes@prozac.student.cwru.edu (Wes Brown),
kerberos@MIT.EDU
In-Reply-To: trier's message of Mon, 19 Feb 1996 10:30:52 +0000.
<199602191530.KAA18516@odin.INS.CWRU.Edu>
Date: Mon, 19 Feb 1996 13:41:32 -0500
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
Using ksu satisfies those [accountability] requirements, but risks
exposing the password if the user forgot to encrypt the connection.
Doing direct Kerberized logins avoids the direct-attack problem,
but it doesn't provide the accountability.
If rshd/rlogind logged both the remote principal name of the client
and the local account name used, this would provide the best of both
worlds.
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMSjEVFpj/0M1dMJ/AQH1MwP9H86C7uYbipBtFmRzmQb49DBxO3N1Zon0
NTFVDQgOXYTx0dZnHp4auwg7Ebleyac1gcfoq6J2uvdygJssnGxNiqV33dbaVaD5
qi3ReI9acW7TWScoYlrJ0HPlrQfqs+q1juo/ho1kA9Ib1NpR1MkfFkZI9/0fejBP
pfWqQAZ3uUk=
=/iOj
-----END PGP SIGNATURE-----
