[311] in Kerberos
rlogin
daemon@TELECOM.MIT.EDU (Steve Miller)
Fri Jan 29 13:37:53 1988
From: miller%erlang.DEC@DECWRL.DEC.COM (Steve Miller)
To: kerberos@ATHENA.MIT.EDU, MILLER%erlang.DEC@DECWRL.DEC.COM
As Cliff pointed out, if multi-hop rlogins occur, none of the solutions
that require typing in a password are secure, since rlogin sessions are
not encrypted for privacy.
I believe that once you have authenticated yourself the first time on your
local system, you should be able to navigate throughout the network, given
the appropriate authorizations, without having to type the password again
anywhere. (Assume that the tgt doesnt't expire.) If you make it a rule
that the password is NEVER entered again, you minimize the exposure on the
wire or in another system.
Whenever you walk away from your system, anyone else can capture it
and "be" you for whatever intent they wish. I am not convinced that this
is particularly different in terms of security for the different scenarios
suggested -- the original tgt is still available. (Unless you start tying
authorizations to the source address in addition to the kerberos name.)
Some of the alternatives may make it simpler to do more damage, so it might
be worth considering.
I would go with along with what Cliff and Stan suggested, but probably not
with having the user type in their password again. It loses big in the
multi-hop case, and buys little otherwise.
Steve.
