On Mon, 26 Jul 1999, Troy Benjegerdes wrote:

> I would suggest that one dump the Unix/Linux /etc/passwd authentication
> completely (except for the root password) and use kerberos exclusively.
> Kerberos has a well thought out and robust security mechanism. I won't go
> into detail on all of the design decisions that went into it (those are
> covered on the MIT kerberos web site and documentation), but it is my
> opinion that it is the most secure authentication system for Unix like
> systems that exists in the Open Source world, and also quite possibly in
> the closed source world too.

I'll take this under serious consideration...  Switching our system to
Kerberos could have other added benefits.

> > BTW what exactly is the justification for the expirations?  It seems to
> > decrease security (by requiring daemons which store the passwords in
> > cleartext) rather than increase it.
> 
> One reason I can come up with is that expiration is needed in case a user
> logs out, and there isn't a mechanism by which venus can tell the user is
> no longer logged in, and that tokens should be destroyed. If this were not

Hmm...  It can't simply check for termination of all processes owned by
that user?

> the case, a machine which has been compromised could allow an attacker
> filesystem access to any accounts which have logged into the machine since
> it was last rebooted. (Granted, haveing the passwords in cleartext allows
> the same thing, but not *every* client will have cleartext passwords on
> it)

Yes, but couldn't the remote server simply clear all the old tokens when
the rebooted machine connects up again?

Also, would it be possible to allow a process to opt for no expiration
when it acquires the token (e.g. with a command line parameter for clog)?
This would introduce no new security concerns because the process would
need to be storing the password in cleartext anyway to automatically
reauthenticate.

> Kerberos expires tickets for the above reasons, and *also* so that an
> attacker with a packet sniffer only has a limited amount of time to play
> use the sniffed information. (Kerberos 5 has mechanisms to keep even this
> from happening)

How does Kerberos handle daemons which need to be indefinitely
authenticated?  Does it use the cleartext/cronjob kludge also?

Pete Gonzalez