Re: Intent to package KerberosV
Hi, Brian.
> Phew! What a relief - now I don't have to do it ;-)
If I fail I'll be sure to pass everything on to you :)
> Kerberos tickets expire after a time limit, and while anyone who uses it
> within that time limit could still do as much damage (eg rm -rf $HOME),
> I think it is less risky.
Unless the system you are sat at is insecure, having the ticket fall into
someone elses hands does not pose a security problem since they will be
unable to extract the session key. Kerberos V is even more secure;
servers have replay-caches to stop authenticators being replayed.
I advise anyone interested in Kerberos to read:
http://web.mit.edu/Kerberos/www/dialogue.html
This is a well written page that manages to get across the mechanics
without giving the reader suicidal urges.
> Sure, there are problems with Kerberos, like what if the security of the
> kerberos server gets comprimised, but IMHO this is a non-issue. If the
> server at one organisation gets comprimised, the worst it could mean is
> that all my accounts at that site get comprimised (at least that is my
> opinion). NFS already makes the same thing possible without resorting to
> breaking into kerberos servers ;-)
The KDCs are usually ultra-secure machines which provide few if any other
services. Having any individual server compromised can only then
give-away the ticket-granting tickets stored on the machine; revoking
them promptly is a good effort towards damage limitation.
> If I were to change to using Kerberos, I would most likely use the
> following applications: postgresql, cvs, xdm, openldap, pop with
> Maildir support(???? does something like this exist???). I have yet
> to check what Mail clients I use actually have kpop support. :-). If
> xdm cannot be ported, what about wdm and/or kdm???
There was quite a bit of talk about kerberised clients on this list a
while back. The concensus was that a PAM module would prolly be a good
way to go. Guess what I am working on.
> My main concern for kerberos, at least with version 4, is that
> when running kinit or kauth to "login" there doesn't seem to be anyway
> of verifying that the kerberos server is the real server. Does
> version 5 do anything to help this?
Both Kerberos IV and V have mutual authentication. I really recommend
you read the url above; it is quite comprehensive :)
Cheers,
Matt
\\\\///// Matt Kern Tel: (01223) 355588
| | matt.kern@pobox.com http://xanadu.pet.cam.ac.uk/~mwk20/
| O O |
| L | If I had better tools, I could more effectively
| \__ | demonstrate my total incompetence.
\_____/
Reply to: