[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos on .debian.org?



On 10 Mar 2001, Brian May wrote:

> Just to clarify: ...if connectivity between a users host and the KDC
> is broken...

Their is still a need for the server to talk to the KDC. This is required
to support legacy non-kerb clients using normal passwords. The server
must contact the KDC to verify it.

server->kdc and user->kdc are both issues with Kerberos, and both are
serious problems when you have an unreliable internet between you and it.

> not be able to obtain new tickets, but users who already have tickets
> for the required service will continue to be able to make new

Which for all intents and purposes is the same as being dead, as far as
I'm concerned.

> This sounds like a good argument to me. However, the LDAP database is
> just as vulnerable... Isn't it?

You cannot reverse a hashed password into something you can feed over the
network to gain access. You can do that to a stolen KDC database.

Jason



Reply to: