[16805] in Kerberos_V5_Development
Re: SSH mediated Kerberos authenticated sudo.
daemon@ATHENA.MIT.EDU (Frank Cusack)
Wed May 11 16:00:20 2011
MIME-Version: 1.0
In-Reply-To: <201012221831.oBMIVN1N007332@wind.enjellic.com>
Date: Wed, 11 May 2011 13:00:08 -0700
Message-ID: <BANLkTi=tvijAc4pDbHV8i-sUWJE3cF7hDw@mail.gmail.com>
From: Frank Cusack <frank+krb@linetwo.net>
To: g.w@hurderos.org
Cc: krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Dec 22, 2010 at 10:31 AM, <g.w@hurderos.org> wrote:
> ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz
>
Revisiting this.
In my followup idea on having the server initiate the request for the fresh
credential, any thoughts on how to present a secure UI to the user so that
he knows this is ACTUALLY a local password request and not something being
mocked up by a compromised server?
With the client-initiated escape sequence, I think it's less of a concern
since as long as the client software is not tampered with the user has a
guarantee that they are actually entering their password locally. And if
the client software IS tampered with, then all bets are off anyway.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
