[6575] in Kerberos
Re: Authentication Only ?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Feb 2 15:26:09 1996
To: trier@odin.INS.CWRU.Edu (Stephen C. Trier)
Cc: choward@staff1.lib.iastate.edu (Chris Howard), kerberos@MIT.EDU
From: hartmans@MIT.EDU (Sam Hartman)
Date: 02 Feb 1996 15:09:46 -0500
In-Reply-To: trier@odin.INS.CWRU.Edu.'s message of Fri, 2 Feb 1996 11:56:54 +0000
>>>>> "Stephen" == Stephen C Trier <trier@odin.INS.CWRU.Edu.> writes:
Stephen> Yes, you can do that. You can accept a plaintext
Stephen> password with the standard HTTP authentication protocol,
Stephen> check it against Kerberos, then serve the data. I do
Stephen> that here. The drawback is that it uses Kerberos as no
Stephen> more than a shadow password system, introducing all of
Stephen> the risks of plaintext passwords. That said, it does the
Stephen> job!
Anyone who tried to pull that here would probably get nasty
mail from our security-cluful people unless they clearly warned users
about the pontential compromise of their passwords, and they would
probably be asked to provide another mechanism that people who were
unwilling to send their passwords over the net could use. (There are
enough paranoid people around here who would refuse to use such a
system instead of sending clear text passwords that it would be
significantly less functional.)
Stephen> The simplest way to do it is to see if you can get a TGT
Stephen> for the user. This is easy to implement, requires no
Stephen> changes on the kerberos server. However, it is
Stephen> vulnerable to attacks that flood the web server with
Stephen> forged TGT replies.
Stephen> A better solution is to get the TGT, then use the TGT to
Stephen> get an rcmd ticket for the local host. This defends
Stephen> against the forged-TGT-reply attack, but it may require
Stephen> some cooperation from the Kerberos administrator,
Stephen> depending on your site Kerberos policies.
For an example of how to do this, look in the CNS pop server.
Stephen> Remember to destroy the TGT ASAP after authenticating the
Stephen> user!
Stephen> Your site policy may indicate that sending plaintext
Stephen> passwords over the network is unacceptable. In that
Stephen> case, you will have to find a Kerberos-aware web browser.
Stephen> :-(
Stephen> Stephen
Stephen> -- Stephen Trier trier@ins.cwru.edu KG8IH
