Re: Intent to package KerberosV

To: Brian May <bam@snoopy.apana.org.au>
Cc: debian-devel@lists.debian.org
Subject: Re: Intent to package KerberosV
From: Matt Kern <mwk20@cam.ac.uk>
Date: Thu, 24 Jun 1999 14:17:10 +0100 (GMT)
Message-id: <[🔎] Pine.LNX.3.96.990624140311.13981C-100000@xanadu.pet.cam.ac.uk>
Reply-to: Matt Kern <matt.kern@pobox.com>
In-reply-to: <[🔎] 19990624124930.B5482@nexus.dgs.monash.edu.au>

Hi, Brian.

> Phew! What a relief - now I don't have to do it ;-)

If I fail I'll be sure to pass everything on to you :)

> Kerberos tickets expire after a time limit, and while anyone who uses it
> within that time limit could still do as much damage (eg rm -rf $HOME),
> I think it is less risky. 

Unless the system you are sat at is insecure, having the ticket fall into
someone elses hands does not pose a security problem since they will be
unable to extract the session key.  Kerberos V is even more secure; 
servers have replay-caches to stop authenticators being replayed. 

I advise anyone interested in Kerberos to read:

		http://web.mit.edu/Kerberos/www/dialogue.html

This is a well written page that manages to get across the mechanics
without giving the reader suicidal urges.

> Sure, there are problems with Kerberos, like what if the security of the
> kerberos server gets comprimised, but IMHO this is a non-issue. If the
> server at one organisation gets comprimised, the worst it could mean is
> that all my accounts at that site get comprimised (at least that is my
> opinion). NFS already makes the same thing possible without resorting to
> breaking into kerberos servers ;-)

The KDCs are usually ultra-secure machines which provide few if any other
services.  Having any individual server compromised can only then
give-away the ticket-granting tickets stored on the machine;  revoking
them promptly is a good effort towards damage limitation.

> If I were to change to using Kerberos, I would most likely use the
> following applications: postgresql, cvs, xdm, openldap, pop with
> Maildir support(???? does something like this exist???). I have yet
> to check what Mail clients I use actually have kpop support. :-). If
> xdm cannot be ported, what about wdm and/or kdm???

There was quite a bit of talk about kerberised clients on this list a
while back.  The concensus was that a PAM module would prolly be a good
way to go.  Guess what I am working on.

> My main concern for kerberos, at least with version 4, is that
> when running kinit or kauth to "login" there doesn't seem to be anyway
> of verifying that the kerberos server is the real server.  Does
> version 5 do anything to help this? 

Both Kerberos IV and V have mutual authentication.  I really recommend
you read the url above;  it is quite comprehensive :)

Cheers,

Matt

  \\\\/////  Matt Kern            Tel: (01223) 355588
  |       |  matt.kern@pobox.com  http://xanadu.pet.cam.ac.uk/~mwk20/
  | O   O |
  |   L   |  If I had better tools, I could more effectively
  | \__   |  demonstrate my total incompetence.
   \_____/

Reply to:

Follow-Ups:
- Re: Intent to package KerberosV
  - From: Brian May <bam@snoopy.apana.org.au>
- KerberosV - how to use UDP without errors?
  - From: Brian May <bam@snoopy.apana.org.au>

References:
- Re: Intent to package KerberosV
  - From: Brian A May <bmay@dgs.monash.edu.au>

Prev by Date: Re: Official Debian digital 'branding' of debs
Next by Date: Re: Sound-monitor 0.7.0 package
Previous by thread: Re: Intent to package KerberosV
Next by thread: Re: Intent to package KerberosV
Index(es):
- Date
- Thread