[6830] in Kerberos
Re: kerberos or NIS for password validation
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Wed Mar 6 11:12:37 1996
Date: Wed, 6 Mar 96 10:56:25 EST
From: Barry Jaspan <bjaspan@bbnplanet.com>
To: Bryce <SBD9924@alpha.cc.oberlin.edu>
Cc: kerberos@MIT.EDU
In-Reply-To: [6818]
I believe that by changing the kerberos login program, ksu, xdm, xlock,
etc, I could completely replace the NIS passwords with kerberos passwords,
and put a * in all the NIS password fields. Wouldn't this be an
improvement over our current situation?
It would certainly be an *improvement*, yes. If nothing else, there
are probably fewer people in the world who know how to fake a response
from the KDC than a response from NIS. This is theoretically
worthless, but in practice is does raise the bar a little bit.
Particularly if you require pre-authentication, it will be harder for
an attacker to acquire a complete password list to perform a
dictionary attack against. An attacker will still be able to perform
a dictionary attack against any single user for which he can sniff the
Kerberos packets off the network, but again that is a higher bar.
The particular threat you mentioned, that an attacker can forge a
response from the KDC, only allows the attacker to log in to a local
workstation as a user. It does NOT give the attacker valid Kerberos
tickets. This means, for example, that the attacker would not be able
to log in to a Kerberos rlogind server with the forged TGT. Only the
local host is compromised. And, as I stated in the FAQ, this attack
can be preveted by placing a keytab on the client host (although this
comes with its own set of tradeoffs).
Barry
