[307] in Kerberos
Yet another addendum
daemon@TELECOM.MIT.EDU (Clifford Neuman)
Thu Jan 28 20:24:28 1988
From: bcn@JUNE.CS.WASHINGTON.EDU (Clifford Neuman)
To: treese@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU
In-Reply-To: Clifford Neuman's message of Thu, 28 Jan 88 17:06:22 PST <8801290106.AA16493@june.cs.washington.edu>
The answer to Jeff's problem is to require that the response to a
request from kerberos for a ticket with a different internet address
come back encrypted in the users secret key instead of the session
key. As such, the user would be required to type in his password
again.
I think it is important to minimize the number of machines that see
the users password. Since the user is already logged into the local
machine, we can presume that at one point, it had the password. If we
use Wins suggestion, then once the password has been decrypted on the
remote system, it has seen the password. If, howver, the password is
used and discarded on the local machine, then, even if the remote
machine has been compromised, it at most gets a ticket granting ticket
good for a finite lifetime.
Another issue that should be considered is the case of a user taking
two rlogin hops. If we tell him that it is OK to type his password to
rlogin, then when he makes the second hop, he is typing to to the
rlogin on the remote machine, and it is not encrypted on the network
between his local host and the remote host (even though it is between
the first remote host and the second).
~ Cliff
