Re: Kerberos on .debian.org?
>>>>> "Jason" == Jason Gunthorpe <jgg@debian.org> writes:
>> This sounds like a good argument to me. However, the LDAP
>> database is just as vulnerable... Isn't it?
Jason> You cannot reverse a hashed password into something you can
Jason> feed over the network to gain access. You can do that to a
Jason> stolen KDC database.
I would assume that if you had physical access to the console of the
LDAP (or KDC) database, then you could also make changes to the
database, such as adding/modifying entries to suit[1]. Then an attacker
could have instant access to any of the computers. Or am I mistaken?
Note:
[1] perhaps an attacker could create another account with the same UID
(not sure if this would work or not), or perhaps he/she could save the
existing password, and replace it with a new one.
--
Brian May <bam@debian.org>
Reply to: