[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos on .debian.org?

>>>>> "Steve" == Steve Langasek <vorlon@netexpress.net> writes:

    Steve> On 8 Mar 2001, Turbo Fredriksson wrote:
    >> I've been playing with the krb5-* packages and I'm _IMPRESSED_!
    >> I never used kerberos before, but it's cool (and secure, let's
    >> not forget that! :).

    >> With the help of 'libpam-krb5' and the pam_krb5_migrate.so (can
    >> be found at 'ftp://ftp.netexpress.net/pub/pam/') it would be
    >> 'easy' to be able to use krsh/ktelnet etc to login securely to
    >> any Debian machine.

    Steve> Careful -- you should never use libpam-krb5 for
    Steve> authenticating remote connections.  It won't provide secure
    Steve> communication with the remote user; the password will be
    Steve> sent plaintext across the network, and then securely
    Steve> verified against the KDC.  If you want kerberos network
    Steve> authentication, you'll need to set up krshd and ktelnetd.

libpam-krb5 makes a fine addition to ssh and is no less secure than
ssh itself.
Also, note that in an environment where you use krb5 and allow
plaintext passwords, you may choose to use libpam-krb5 rather than say
storing your passwords in LDAP.  Yes, it is insecure, but provides
better migration possibilities.  Then again, I suspect you know all
about that.;)

Reply to: