[6910] in Kerberos
Re: TACCAS authentication server
daemon@ATHENA.MIT.EDU (Donald T. Davis)
Tue Mar 19 09:08:55 1996
To: Robins.Tharakan@wnet.indiagate.com (Robins Tharakan)
Cc: don@cam.ov.com, kerberos@MIT.EDU
In-Reply-To: Your message of "18 Mar 1996 16:40:35 +0530."
<f07_9603190216@indiagate.com>
Date: Tue, 19 Mar 1996 08:59:55 -0500
From: "Donald T. Davis" <don@cam.ov.com>
r. tharakan asks
> I wish to know whether anyone has heard of 'TACCAS authentication server'.
> Is is related to kerberos in any way ? It happens to be in use in India
> to authenticate a PPP connect through dial up line.
TACACS is a password-checking protocol for terminal servers.
TACACS is an insecure protocol, because it does not encrypt
the passwords before sending them across the network for checking.
i believe TACACS is supposed to be an alternative to RADIUS;
both protocols serve to centralize the administration and
checking of dialin passwords, so that all of your dialin
servers have a single pw database. i do not believe that TACACS
is really and securely compatible with kerberos.
when dialin protocols claim kerberos compatibility, this can
mean several things:
* the centralized pw server may be prepared to use the kdc
as a pw-database. this violates krb's design principles,
though.
* the dialin server may request tickets on the client's
behalf, so as to check the user's password-entry. this
is a very weak form of krb-compatibility, because the
user cannot get or use his tickets from the dialin server.
several modem vendors offer this form of krb compatibility.
* krb-compatible dialin should result in the dialin client
having his krb tickets on his local cpu. i know of no
dialin product that achieves this.
-don davis, boston
