[6818] in Kerberos
kerberos or NIS for password validation
daemon@ATHENA.MIT.EDU (Bryce)
Tue Mar 5 17:06:31 1996
Date: Tue, 05 Mar 1996 16:46:04 -0400 (EDT)
From: Bryce <SBD9924@alpha.CC.OBERLIN.EDU>
To: kerberos@MIT.EDU
X-Vms-To: IN%"kerberos@mit.edu"
I am looking for a way to use Kerberos for password validation. In
the FAQ it says that a public workstation can be tricked into allowing
a false login if the attacker can reply to a TGT request before the real
KDC can answer. He suggests a change to the login process that would
improve the situation, but warns that it is not complete secure.
Right now, our network uses Sun NIS for password validation, and it
seems that despite the weakness described in the FAQ, Kerberos
password validation would be much better than continuing to use NIS.
Right now, the passwords are all available by ypcat, and wide open
to a cracking program.
I believe that by changing the kerberos login program, ksu, xdm, xlock,
etc, I could completely replace the NIS passwords with kerberos passwords,
and put a * in all the NIS password fields. Wouldn't this be an
improvement over our current situation?
Thanks,
Bryce Denney
sbd9924@oberlin.edu
