(Illustration by Gaich Muramatsu)
On Mon, 26 Jul 1999, Troy Benjegerdes wrote: > I would suggest that one dump the Unix/Linux /etc/passwd authentication > completely (except for the root password) and use kerberos exclusively. > Kerberos has a well thought out and robust security mechanism. I won't go > into detail on all of the design decisions that went into it (those are > covered on the MIT kerberos web site and documentation), but it is my > opinion that it is the most secure authentication system for Unix like > systems that exists in the Open Source world, and also quite possibly in > the closed source world too. I'll take this under serious consideration... Switching our system to Kerberos could have other added benefits. > > BTW what exactly is the justification for the expirations? It seems to > > decrease security (by requiring daemons which store the passwords in > > cleartext) rather than increase it. > > One reason I can come up with is that expiration is needed in case a user > logs out, and there isn't a mechanism by which venus can tell the user is > no longer logged in, and that tokens should be destroyed. If this were not Hmm... It can't simply check for termination of all processes owned by that user? > the case, a machine which has been compromised could allow an attacker > filesystem access to any accounts which have logged into the machine since > it was last rebooted. (Granted, haveing the passwords in cleartext allows > the same thing, but not *every* client will have cleartext passwords on > it) Yes, but couldn't the remote server simply clear all the old tokens when the rebooted machine connects up again? Also, would it be possible to allow a process to opt for no expiration when it acquires the token (e.g. with a command line parameter for clog)? This would introduce no new security concerns because the process would need to be storing the password in cleartext anyway to automatically reauthenticate. > Kerberos expires tickets for the above reasons, and *also* so that an > attacker with a packet sniffer only has a limited amount of time to play > use the sniffed information. (Kerberos 5 has mechanisms to keep even this > from happening) How does Kerberos handle daemons which need to be indefinitely authenticated? Does it use the cleartext/cronjob kludge also? Pete GonzalezReceived on 1999-07-26 16:34:27