[7217] in Kerberos
Re: keberos authentication with tacacs ?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat May 4 17:21:48 1996
To: john@iastate.edu (John Hascall)
Cc: kerberos@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 04 May 1996 17:08:59 -0400
In-Reply-To: john@iastate.edu's message of 4 May 1996 13:57:53 GMT
>>>>> "John" == John Hascall <john@iastate.edu> writes:
John> you should be pretty secure from snooping.
Hmm, I'm not convinced that some careful ARP injections or
packets coming from multiple points in the switched network wouldn't
be enough to confuse the spanning tree and get passwords to an
arbitrary snooper in the network.
I agree that switched ethernet provides some protection; I am
unwilling to say it makes you "pretty secure."
Also, you really should include an example of the
mk_req/rd_req check in the code. Spoofing a bogus Kerberos ticket is
somewhat easier than spoofing an access granted response into a TCP
stream between the tacacs server and the terminal server.
I.E. Without the mk_req/rd_req code, your Kerberos autehntication may
be less secure than a Unix password file.
