[7214] in Kerberos
Re: keberos authentication with tacacs ?
daemon@ATHENA.MIT.EDU (John Hascall)
Sat May 4 10:32:10 1996
To: kerberos@MIT.EDU
Date: 4 May 1996 13:57:53 GMT
From: john@iastate.edu (John Hascall)
Yves Touchette <yvest@server0.accent.net> wrote:
}We are also changing all the authentication process we use because or
}network is getting pretty big and a central kerberos db with slave
}server's is a solution that make's the most sense ...
Below find a minimalist external kerberos authentication
module which works with xtacacsd's AUTHTOKEN support.
Unfortunately, authtoken also passes the username/password
on the command line -- it's not much work to add a new
AUTHPIPE option which passes through a pipe though.
}Do you think that the fact that i am using switched ethernet protects me
}against packet sniffer ... What other security issue should i be concern
}about the fact that the userid/passwd are send in clear text ?
If you have:
------+----------+---------[bridge/switch/router]------ "to nasties"
| | |
...[cisco] [xtacacsd] [kerberos]
or:
------+---------[bridge/switch/router]------ "to nasties"
| | |
...[cisco] [xtacacsd] [kerberos]
or:
------+---------[bridge/switch/router]------ "to nasties"
| |
...[cisco] [xtacacsd]----+----[kerberos]
you should be pretty secure from snooping.
John
------------------- tacacs_authtoken_krb.c ------------------------------
#include <stdlib.h>
#include <string.h>
#include <krb.h>
#define ACCESS_DENIED 0
#define ACCESS_ALLOWED 1
#define TGT "krbtgt"
static void hide();
int main(argc, argv)
int argc;
char ** argv;
{
char * username;
char * password;
char realm[40];
char ticketfile[80];
int kv;
if (argc != 3) return (ACCESS_DENIED);
username = strdup(argv[1]);
password = strdup(argv[2]);
hide(argv[2]);
krb_get_lrealm(realm, 1);
sprintf(ticketfile, "/tmp/tkt_kchk_%d", getpid());
krb_set_tkt_string(ticketfile);
kv = krb_get_pw_in_tkt(username, "", realm, TGT, realm, 1, password);
/*
* optional here: mk_req/rd_req anti-spoofing check
*/
(void)unlink(ticketfile);
if (kv == KSUCCESS) return (ACCESS_ALLOWED);
return (ACCESS_DENIED);
}
/*
* not perfect, but better than nothing...
*/
static void hide(s)
char * s;
{
while (*s != '\0') *s++ = ' ';
}
--
John Hascall ``An ill-chosen word is the fool's messenger.''
Moderator, comp.unix.wizards
Systems Software Engineer, ISU Comp Center + Ames, IA 50011 + 515/294-9551
<a href="http://www.cc.iastate.edu/staff/systems/john/">My Homepage</a>
