On Mon, 26 Jul 1999, Troy Benjegerdes wrote:
> I would suggest that one dump the Unix/Linux /etc/passwd authentication
> completely (except for the root password) and use kerberos exclusively.
> Kerberos has a well thought out and robust security mechanism. I won't go
> into detail on all of the design decisions that went into it (those are
> covered on the MIT kerberos web site and documentation), but it is my
> opinion that it is the most secure authentication system for Unix like
> systems that exists in the Open Source world, and also quite possibly in
> the closed source world too.
I'll take this under serious consideration... Switching our system to
Kerberos could have other added benefits.
> > BTW what exactly is the justification for the expirations? It seems to
> > decrease security (by requiring daemons which store the passwords in
> > cleartext) rather than increase it.
>
> One reason I can come up with is that expiration is needed in case a user
> logs out, and there isn't a mechanism by which venus can tell the user is
> no longer logged in, and that tokens should be destroyed. If this were not
Hmm... It can't simply check for termination of all processes owned by
that user?
> the case, a machine which has been compromised could allow an attacker
> filesystem access to any accounts which have logged into the machine since
> it was last rebooted. (Granted, haveing the passwords in cleartext allows
> the same thing, but not *every* client will have cleartext passwords on
> it)
Yes, but couldn't the remote server simply clear all the old tokens when
the rebooted machine connects up again?
Also, would it be possible to allow a process to opt for no expiration
when it acquires the token (e.g. with a command line parameter for clog)?
This would introduce no new security concerns because the process would
need to be storing the password in cleartext anyway to automatically
reauthenticate.
> Kerberos expires tickets for the above reasons, and *also* so that an
> attacker with a packet sniffer only has a limited amount of time to play
> use the sniffed information. (Kerberos 5 has mechanisms to keep even this
> from happening)
How does Kerberos handle daemons which need to be indefinitely
authenticated? Does it use the cleartext/cronjob kludge also?
Pete Gonzalez
