[7734] in Kerberos
Re: change passwd on the web
daemon@ATHENA.MIT.EDU (Deeran Peethamparam)
Wed Aug 7 01:23:19 1996
To: kerberos@MIT.EDU
Date: 7 Aug 1996 04:34:13 GMT
From: deeranp@ocean.asianconnect.com (Deeran Peethamparam)
Reply-To: deeranp@ocean.asianconnect.com
On 5 Aug 1996 11:35:06 -0400, Stephen C. Trier <trier@odin.INS.CWRU.Edu> wrote:
> On Aug 5, 12:34pm, Low Lay Hua wrote:
> > anyone have a cgi program that could change issue kpasswd on the web?
> Why do you want to do that? That would most likely require sending the
> passwords in plaintext. On top of that, the script will have to be
> very carefully designed to prevent the passwords from being written to
> cache somewhere. (Even then, you can't 100% guarantee some browser
> won't do something stupid...)
*springs to her defence*
For this purpose (changing the kerberos password for a dialup user)
sending the password in cleartext is not a huge security breach, as
it would most likely travel only down a phone line and via a (hopefully)
untapped network.
> You're much better off with real kpasswd or an equivalent program.
If only there were Windows/Mac versions of kpasswd which didn't require
a genius to set up. :)
Earlier in a private email conversation, I suggested not hacking kpasswd,
but using expect to script the change of password by "talk"ing to kpasswd
instead. Then on submission of the Web form, the cgi would just "talk"
to kpasswd.
Any other suggestions are most welcome.
Deeran
--
Deeran Peethamparam \\ PGP: finger deeranp@merlion.singnet.com.sg
deeranp@singnet.com.sg \\ HTTP: http://www.singnet.com.sg/~deeranp
deeranp@ocean.asianconnect.com \\ Will administer UNIX for chocolate.
