The username definantly goes through in the clear. I assume the password
goes through using the normal NT hash. Interestingly enough it appears
that the defender challange/response does not (the link appears to be
encrypted by the time that comes up)
David Lang
On Mon, 17 Jul 2000, David Lang
wrote:
> Date: Mon, 17 Jul 2000 19:34:12 -0700 (PDT)
> From: David Lang <[EMAIL PROTECTED]>
> To: Ben Nagy <[EMAIL PROTECTED]>
> Cc: "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>,
> "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> Subject: RE: Citrx Metaframe/NT4-TSE
>
> I installed the Axent ThinDefender client on citrix today. It does appear
> to work.
>
> what happens is that when you connect to the citrix server you first get a
> window propmting you for your NT username/password/domain, and then are
> presented with a window giveing the challange for your token. when you
> enter the correct response you then are connected.
>
> I am running the secureICA client but have not yet investigated to make
> sure that all the data on the sign-in is encrypted. If it is not your
> users usernames and hashed passwords may be vunerable, they will not be
> enough for the attacker to get in, but may be useful for other methods of
> attack.
>
> This works both for the full citrix client and also the IE based client.
>
> David Lang
>
> On Tue, 18 Jul 2000, Ben Nagy wrote:
>
> > Date: Tue, 18 Jul 2000 11:35:42 +0930
> > From: Ben Nagy <[EMAIL PROTECTED]>
> > To: "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>,
> > "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> > Subject: RE: Citrx Metaframe/NT4-TSE
> >
> > (Sorry about the busted indenting - I'm at a customer site)
> >
> > I'm really sorry to insult your obviously vast intelligence and try your
> > obviously short patience, but I don't think I've actually "missed the point"
> > at all.
> >
> > You, on the other hand, seem to be labouring under several misapprehensions:
> >
> > 1. That a "kerberized" session is somehow much more secure than a
> > non-kerberized one. Kerberos allows for endpoint/service/user
> > authentication. However, Kerberos is still reliant on users picking strong
> > passwords.
> >
> > Kerberos does NOT offer any session level encryption or any other security
> > mechanism - it's an _authentication_ protocol. Go read the spec - I refer
> > you to RFC 1510 for the nitty-gritty, although there are probabaly much more
> > digestable descriptions. Maybe you're confusing Kerberos with something
> > else?
> >
> > 2. That I'm talking about a utility issue. I'm not - I couldn't care less if
> > the solution was transparent, slightly cumbersome or requires an incantation
> > and a pint of the user's blood. I was merely mentioning that your
> > "kerberized" solution could not be stronger than user passwords.
> >
> > In other words, if one were to pick "password" as their password, no amount
> > of Kerberos or fancy filters can stop someone guessing the password and
> > accessing the protected application.
> >
> > Contrast - the two-factor auth guys get to use _real_ authentication. This
> > does NOT give them protection against direct attacks on the boxes or the
> > service that don't rely on authentication, and you had some good ideas with
> > regards to securing this area.
> >
> > 3. That you're talking to a bunch of clueless morons on this list. How about
> > you try to give us a little more credit, huh?
> >
> > Cheers,
> >
> > --
> > Ben Nagy
> > Lounging Around a Customer's Network
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > To: Frank Knobbe; Ben Nagy; [EMAIL PROTECTED]
> > Sent: 18/07/00 7:10
> > Subject: RE: Citrx Metaframe/NT4-TSE
> >
> > The mechanism that allows the user to log is transparent.. The user has
> > no
> > clue that they are being authenticated by RADIUS or TACACS, and that
> > their
> > session is kerberized.
> >
> > The users do not login to Citrix via telnet.
> >
> > The end or external user will have a Citrix client installed, and the
> > connections are defined in their Citrix profile.
> >
> > If you offer to pay for travel and expensese I would be more than happy
> > to
> > sketch this out on a clean whiteboard.
> >
> > Geez
> >
> > /m
> > At 01:49 PM 7/17/00 -0500, Frank Knobbe wrote:
> > >-----BEGIN PGP SIGNED MESSAGE-----
> > >Hash: SHA1
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > > Sent: Monday, July 17, 2000 11:58 AM
> > > >
> > > > Actually you missed the point, with Kerberos, RADIUS or
> > > > TACACS in place,
> > > > the whole mechanism is transparent to the user. That is why
> > > > it works.. :)
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
