Re: ITP: pam-krb5

To: "Sean 'Shaleh' Perry" <shaleh@valinux.com>
Cc: debian-devel@lists.debian.org
Subject: Re: ITP: pam-krb5
From: Brian May <bam@debian.org>
Date: 17 Nov 2000 10:04:17 +1100
Message-id: <[🔎] 84itpnbjta.fsf@snoopy.apana.org.au>
In-reply-to: "Sean 'Shaleh' Perry"'s message of "Thu, 16 Nov 2000 14:52:41 -0800 (PST)"
References: <[🔎] XFMail.20001116145241.shaleh@valinux.com>

>>>>> "Sean" == Sean 'Shaleh' Perry <shaleh@valinux.com> writes:

    >> WARNING: for security reasons, you should not use this module
    >> for purposes other than local login (xdm, login, etc.). Don't
    >> use it over a network unless you _really_ know what you are
    >> doing.
    >> 

    Sean> security reasons? why?

Because Kerberos is a ticket based authentication protocol. If you use
it as a password based protocol across the network, the server has to
obtain your ticket on your behalf. A compromised server could then use
your ticket (or password to obtain a ticket at a latter date) to log
into other accounts you own.

This would means Kerberos is no better then using ssh password based
authentication (assuming you are using a secure network connection and
not transmitting your password in the clear). Actually, you could
argue that it is worse, as you don't have the option of using
different passwords on different systems.

However, while this PAM module works for login, I can't get it working
yet for gdm (it logs me straight out again), so I will have to try and
work out why.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- RE: ITP: pam-krb5
  - From: "Sean 'Shaleh' Perry" <shaleh@valinux.com>

Prev by Date: RE: ITP: pam-krb5
Next by Date: Re: Anarchism package
Previous by thread: Re: ITP: pam-krb5
Next by thread: Re: ITP: pam-krb5
Index(es):
- Date
- Thread