RE: ITP: pam-krb5

To: debian-devel@lists.debian.org
Subject: RE: ITP: pam-krb5
From: Steve Langasek <vorlon@netexpress.net>
Date: Thu, 16 Nov 2000 17:11:10 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.10.10011161706240.17062-100000@tennyson.netexpress.net>
In-reply-to: <[🔎] XFMail.20001116150554.shaleh@valinux.com>

On Thu, 16 Nov 2000, Sean 'Shaleh' Perry wrote:

> > If you use pam-krb5 for authenticating (e.g.) telnet or ftp, you'll
> > effectively negate the security advantages of using Kerberos, because you'll
> > be passing a cleartext password across the network before authenticating
> > against Kerberos.  For some people, plaintext passwords on a network are not
> > really an issue; but if you're using Kerberos as a backend it definitely /is/
> > an issue, because people may trust the security of the system "just because"
> > you're using Kerberos.

> I used GNU machines for a while.  I had to get an auth ticket, then I used krb
> telnet.  Was my password sent in cleartext when I received my ticket?

Not when using kerberized telnet, because krb telnet authenticates using the
Kerberos protocol.  The issue is specific to using something like pam-krb5 to
do Kerberos authentication behind the scenes, without any true Kerberos
support in the application.  OTOH, if you were to telnet from your local
machine and /then/ run 'kinit' to get a ticket, you would obviously have the
same problem because you're typing the password cleartext across the network.

Steve Langasek
postmodern programmer

Reply to:

Follow-Ups:
- RE: ITP: pam-krb5
  - From: "Sean 'Shaleh' Perry" <shaleh@valinux.com>

References:
- RE: ITP: pam-krb5
  - From: "Sean 'Shaleh' Perry" <shaleh@valinux.com>

Prev by Date: RE: ITP: pam-krb5
Next by Date: ITP: libcrypt-blowfish-perl -- Crypt::Blowfish module for Perl
Previous by thread: RE: ITP: pam-krb5
Next by thread: RE: ITP: pam-krb5
Index(es):
- Date
- Thread