-----BEGIN PGP SIGNED MESSAGE-----
The trouble is that from what you are describing the only authentication
to get the ticket is the plain-text reuseable password.
for you this may be enough, for my environment it isn't. tokens are
relativly cheap.
Also tokens do not have a checkbox labled 'remember my password'
David Lang
On Mon, 17 Jul 2000 [EMAIL PROTECTED] wrote:
> Date: Mon, 17 Jul 2000 19:43:42 -0700
> From: [EMAIL PROTECTED]
> To: Ben Nagy <[EMAIL PROTECTED]>,
> "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> Subject: RE: Citrx Metaframe/NT4-TSE
>
> Excuse me, the ticket is only good for that session only. The reason why
> the solution is elegant is because it is freely available versus spending
> lots of money on a how bunch of vendor ick or snake Oil which then becomes
> a vendor nightmare. I know a whole bunch of consultants who love to charge
> lots of money for these great and expensive solutions when one can download
> some free software, slap it together and Voila.
>
> Nothing is secure is truly secure, unless one decides to spend lots and
> lots of money to protect their organization as the Government does with
> Fort Knox.. :)
> The point being if users pick dumb passwords, then the person who is
> responsible for enforcing the password policy.
>
> Kereberos is just one layer of the solution. There are some security
> refinements one can turn on on the Unix side or NT side of things to
> enforce good passwords.
>
> Let's get something straight here, implementing Citrix Metaframe should not
> be like the government trying to fix the Hubble Telescope. At least they
> figured out how to get into space. Whether it works or not is another story..
>
> Be me guest if you want the user to remember they have to remember their
> username, their password and carry this dorky token thing around.. If you
> are going down that path, why not just spend the money and have every
> single employee web-wired (see Johnny Mneumonic ).. That way this is whole
> discussion is then mute. All one needs to worry about then is very large
> dolphin :)
>
> /m
> At 11:35 AM 7/18/00 +0930, Ben Nagy wrote:
> >(Sorry about the busted indenting - I'm at a customer site)
> >
> >I'm really sorry to insult your obviously vast intelligence and try your
> >obviously short patience, but I don't think I've actually "missed the point"
> >at all.
> >
> >You, on the other hand, seem to be labouring under several misapprehensions:
> >
> >1. That a "kerberized" session is somehow much more secure than a
> >non-kerberized one. Kerberos allows for endpoint/service/user
> >authentication. However, Kerberos is still reliant on users picking strong
> >passwords.
> >
> >Kerberos does NOT offer any session level encryption or any other security
> >mechanism - it's an _authentication_ protocol. Go read the spec - I refer
> >you to RFC 1510 for the nitty-gritty, although there are probabaly much more
> >digestable descriptions. Maybe you're confusing Kerberos with something
> >else?
> >
> >2. That I'm talking about a utility issue. I'm not - I couldn't care less if
> >the solution was transparent, slightly cumbersome or requires an incantation
> >and a pint of the user's blood. I was merely mentioning that your
> >"kerberized" solution could not be stronger than user passwords.
> >
> >In other words, if one were to pick "password" as their password, no amount
> >of Kerberos or fancy filters can stop someone guessing the password and
> >accessing the protected application.
> >
> >Contrast - the two-factor auth guys get to use _real_ authentication. This
> >does NOT give them protection against direct attacks on the boxes or the
> >service that don't rely on authentication, and you had some good ideas with
> >regards to securing this area.
> >
> >3. That you're talking to a bunch of clueless morons on this list. How about
> >you try to give us a little more credit, huh?
> >
> >Cheers,
> >
> >--
> >Ben Nagy
> >Lounging Around a Customer's Network
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED]
> >To: Frank Knobbe; Ben Nagy; [EMAIL PROTECTED]
> >Sent: 18/07/00 7:10
> >Subject: RE: Citrx Metaframe/NT4-TSE
> >
> >The mechanism that allows the user to log is transparent.. The user has
> >no
> >clue that they are being authenticated by RADIUS or TACACS, and that
> >their
> >session is kerberized.
> >
> >The users do not login to Citrix via telnet.
> >
> >The end or external user will have a Citrix client installed, and the
> >connections are defined in their Citrix profile.
> >
> >If you offer to pay for travel and expensese I would be more than happy
> >to
> >sketch this out on a clean whiteboard.
> >
> >Geez
> >
> >/m
> >At 01:49 PM 7/17/00 -0500, Frank Knobbe wrote:
> > >-----BEGIN PGP SIGNED MESSAGE-----
> > >Hash: SHA1
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > > Sent: Monday, July 17, 2000 11:58 AM
> > > >
> > > > Actually you missed the point, with Kerberos, RADIUS or
> > > > TACACS in place,
> > > > the whole mechanism is transparent to the user. That is why
> > > > it works.. :)
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOXSc3T7msCGEppcbAQHYCwf9GKHjZaxYrOe6HK8kWHMEmVgVoBKbP1E6
VTh2cH1tEx7FXGvKn/rGkJXg0Z5yBPdUFyems6LMW+OvuTrH5/9K83/tX+MlyxLh
8PwcKtEDO98rg8xR4VUp/LHdCTbixwClHSJ1zWzDC28ffbWWxvae2dpW20Mva430
oqwyySxnSl4SNsaFsSLJqIfLLJWrxG/nHjl+4aeIPk5/MDqXTkfLKdsVHvrct5C3
olVXrfaggRvNbQVz/cPs9BcUsGRYbN5mAcJCbmVHXzCyqRXbXXPRvcBZ/0M4QqGh
syBoSJYCqYnFMMAKWoLqWk5xY2ctYPa6gJkBqs/EN+DfvFfal0IORA==
=/oSd
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
