[7216] in Kerberos
Re: keberos authentication with tacacs ?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat May 4 13:13:01 1996
To: Yves Touchette <yvest@server0.accent.net>
Cc: Sam Hartman <hartmans@MIT.EDU>, kerberos@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 04 May 1996 12:58:43 -0400
In-Reply-To: Yves Touchette's message of Sat, 4 May 1996 03:15:19 -0400 (EDT)
>>>>> "Yves" == Yves Touchette <yvest@server0.accent.net> writes:
Yves> You read me when you metion cisco ... we are setting up a
Yves> dial-up isdn pool on cisco 4700 with mbri modules ...
Yves> We are also changing all the authentication process we use
Yves> because or network is getting pretty big and a central
Yves> kerberos db with slave server's is a solution that make's
Yves> the most sense ...
Why? Be aware that Kerberos does *not* perform load balancing
with slave servers; they are used for increased availability only. If
the master is up, it is used for all requests.
Yves> Do you think that the fact that i am using switched ethernet
Yves> protects me against packet sniffer ... What other security
Yves> issue should i be concern about the fact that the
Yves> userid/passwd are send in clear text ?
I don't know your network topology well enough to comment. It
probably provides a sufficient degree of protection for an ISP. Just
make sure it isn't easy for a user or customer to get root on a
machine betwen the Cisco and the TACACS server.
Yves> Thanks alot,
Yves> Yvest Network Operation Group yvest@total.net
Yves> http://www.total.net Total Net. Montreal,Ca.
Yves> A baby is God's opinion that the world should go on. --
Yves> Carl Sandburg
Yves> On 3 May 1996, Sam Hartman wrote:
>> >>>>> "Yves" == Yves Touchette <yvest@accent.net> writes:
>>
Yves> Anybody could help me out setting a tacacs server that
Yves> authenticate via keberos ?
>> You can't really do this. The TACACS protocol only supports
>> cleartext password authentication, so it cannot be
>> authenticated with Kerberos.
>>
>> This may not be what you mean; you can check users' passwords
>> against a Kerberos database using a modified TACACS server.
>> You really shouldn't do that for security reasons, but you may
>> need/want to do it anyway in some configurations. Be aware
>> that you will lose many of the advantages of Kerberos in many
>> environments if you choose this option. (Sadly, this is one of
>> a limited selection of options with production versions of
>> Cisco software; the future looks brighter, however.)
>>
>> Why don't you describe what you're really trying to do and give
>> enough details about your environment that we know what
>> security risks are reasonable for you and what options you
>> have.Do you consider your network secure? How soon do you need
>> an solution? What hardware/software do you have?
>>
>>
>>
Yves> Yvest Network Operation Group yvest@total.net
Yves> http://www.total.net Total Net. Montreal,Ca.
>>
Yves> A baby is God's opinion that the world should go on. --
Yves> Carl Sandburg
>>
