[7172] in Kerberos
Re: TACACS vs kerberos? Comments?
daemon@ATHENA.MIT.EDU (Stephen C. Trier)
Tue Apr 30 10:51:39 1996
From: trier@odin.INS.CWRU.Edu. (Stephen C. Trier)
Date: Tue, 30 Apr 1996 10:38:15 +0000
In-Reply-To: Trever Furnish <tfurnish@ind.net>
"TACACS vs kerberos? Comments?" (Apr 29, 6:23pm)
To: Trever Furnish <tfurnish@ind.net>,
kerberos@MIT.EDU (Kerberos Mailing List)
On Apr 29, 6:23pm, Trever Furnish wrote:
> Is TACACS comparable to Kerberos in terms of security?
No. TACACS relies on plaintext transmission of the username and
password to a server and a plaintext success/fail reply from the
server. It is subject to sniffing, spoofing, replay, and dictionary
attacks like any service of its sort.
The Kerberos-or-bust bunch roll their eyes at the thought of someone
using TACACS. ;-) The its-better-than-nothing bunch will tell you to
protect against sniffing by isolating your TACACS data behind a router
or bridge, to log all TACACS activity so as to watch out for dictionary
attacks, and to cross your fingers as a defense against spoofing and
replay attacks. ;-)
Stephen
--
Stephen Trier "All coordination will be done electronically over the
trier@ins.cwru.edu Internet, a futuristic communications network of networks
KG8IH that, we are told, will one day revolutionize something
or other." - mini-AIR #1996-02
