Re: Kerberos on .debian.org?
On 10 Mar 2001, Brian May wrote:
> Just to clarify: ...if connectivity between a users host and the KDC
> is broken...
Their is still a need for the server to talk to the KDC. This is required
to support legacy non-kerb clients using normal passwords. The server
must contact the KDC to verify it.
server->kdc and user->kdc are both issues with Kerberos, and both are
serious problems when you have an unreliable internet between you and it.
> not be able to obtain new tickets, but users who already have tickets
> for the required service will continue to be able to make new
Which for all intents and purposes is the same as being dead, as far as
I'm concerned.
> This sounds like a good argument to me. However, the LDAP database is
> just as vulnerable... Isn't it?
You cannot reverse a hashed password into something you can feed over the
network to gain access. You can do that to a stolen KDC database.
Jason
Reply to: