RE: ITP: pam-krb5
On Thu, 16 Nov 2000, Sean 'Shaleh' Perry wrote:
> > If you use pam-krb5 for authenticating (e.g.) telnet or ftp, you'll
> > effectively negate the security advantages of using Kerberos, because you'll
> > be passing a cleartext password across the network before authenticating
> > against Kerberos. For some people, plaintext passwords on a network are not
> > really an issue; but if you're using Kerberos as a backend it definitely /is/
> > an issue, because people may trust the security of the system "just because"
> > you're using Kerberos.
> I used GNU machines for a while. I had to get an auth ticket, then I used krb
> telnet. Was my password sent in cleartext when I received my ticket?
Not when using kerberized telnet, because krb telnet authenticates using the
Kerberos protocol. The issue is specific to using something like pam-krb5 to
do Kerberos authentication behind the scenes, without any true Kerberos
support in the application. OTOH, if you were to telnet from your local
machine and /then/ run 'kinit' to get a ticket, you would obviously have the
same problem because you're typing the password cleartext across the network.
Steve Langasek
postmodern programmer
Reply to: