-----BEGIN PGP SIGNED MESSAGE-----
there is no secure citrix client for linux :-(
I'll try to get setup to do the same test on a windows box. (so much for
being able to turn off outlook web access and it's IIS server)
David Lang
On Tue, 18 Jul 2000, David Lang wrote:
> Date: Tue, 18 Jul 2000 11:07:22 -0700 (PDT)
> From: David Lang <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Cc: Ben Nagy <[EMAIL PROTECTED]>,
> "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> Subject: RE: Citrx Metaframe/NT4-TSE
>
> The trouble is that from what you are describing the only authentication
> to get the ticket is the plain-text reuseable password.
>
> for you this may be enough, for my environment it isn't. tokens are
> relativly cheap.
>
> Also tokens do not have a checkbox labled 'remember my password'
>
> David Lang
>
> On Mon, 17 Jul 2000 [EMAIL PROTECTED] wrote:
>
> > Date: Mon, 17 Jul 2000 19:43:42 -0700
> > From: [EMAIL PROTECTED]
> > To: Ben Nagy <[EMAIL PROTECTED]>,
> > "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> > Subject: RE: Citrx Metaframe/NT4-TSE
> >
> > Excuse me, the ticket is only good for that session only. The reason why
> > the solution is elegant is because it is freely available versus spending
> > lots of money on a how bunch of vendor ick or snake Oil which then becomes
> > a vendor nightmare. I know a whole bunch of consultants who love to charge
> > lots of money for these great and expensive solutions when one can download
> > some free software, slap it together and Voila.
> >
> > Nothing is secure is truly secure, unless one decides to spend lots and
> > lots of money to protect their organization as the Government does with
> > Fort Knox.. :)
> > The point being if users pick dumb passwords, then the person who is
> > responsible for enforcing the password policy.
> >
> > Kereberos is just one layer of the solution. There are some security
> > refinements one can turn on on the Unix side or NT side of things to
> > enforce good passwords.
> >
> > Let's get something straight here, implementing Citrix Metaframe should not
> > be like the government trying to fix the Hubble Telescope. At least they
> > figured out how to get into space. Whether it works or not is another story..
> >
> > Be me guest if you want the user to remember they have to remember their
> > username, their password and carry this dorky token thing around.. If you
> > are going down that path, why not just spend the money and have every
> > single employee web-wired (see Johnny Mneumonic ).. That way this is whole
> > discussion is then mute. All one needs to worry about then is very large
> > dolphin :)
> >
> > /m
> > At 11:35 AM 7/18/00 +0930, Ben Nagy wrote:
> > >(Sorry about the busted indenting - I'm at a customer site)
> > >
> > >I'm really sorry to insult your obviously vast intelligence and try your
> > >obviously short patience, but I don't think I've actually "missed the point"
> > >at all.
> > >
> > >You, on the other hand, seem to be labouring under several misapprehensions:
> > >
> > >1. That a "kerberized" session is somehow much more secure than a
> > >non-kerberized one. Kerberos allows for endpoint/service/user
> > >authentication. However, Kerberos is still reliant on users picking strong
> > >passwords.
> > >
> > >Kerberos does NOT offer any session level encryption or any other security
> > >mechanism - it's an _authentication_ protocol. Go read the spec - I refer
> > >you to RFC 1510 for the nitty-gritty, although there are probabaly much more
> > >digestable descriptions. Maybe you're confusing Kerberos with something
> > >else?
> > >
> > >2. That I'm talking about a utility issue. I'm not - I couldn't care less if
> > >the solution was transparent, slightly cumbersome or requires an incantation
> > >and a pint of the user's blood. I was merely mentioning that your
> > >"kerberized" solution could not be stronger than user passwords.
> > >
> > >In other words, if one were to pick "password" as their password, no amount
> > >of Kerberos or fancy filters can stop someone guessing the password and
> > >accessing the protected application.
> > >
> > >Contrast - the two-factor auth guys get to use _real_ authentication. This
> > >does NOT give them protection against direct attacks on the boxes or the
> > >service that don't rely on authentication, and you had some good ideas with
> > >regards to securing this area.
> > >
> > >3. That you're talking to a bunch of clueless morons on this list. How about
> > >you try to give us a little more credit, huh?
> > >
> > >Cheers,
> > >
> > >--
> > >Ben Nagy
> > >Lounging Around a Customer's Network
> > >
> > >-----Original Message-----
> > >From: [EMAIL PROTECTED]
> > >To: Frank Knobbe; Ben Nagy; [EMAIL PROTECTED]
> > >Sent: 18/07/00 7:10
> > >Subject: RE: Citrx Metaframe/NT4-TSE
> > >
> > >The mechanism that allows the user to log is transparent.. The user has
> > >no
> > >clue that they are being authenticated by RADIUS or TACACS, and that
> > >their
> > >session is kerberized.
> > >
> > >The users do not login to Citrix via telnet.
> > >
> > >The end or external user will have a Citrix client installed, and the
> > >connections are defined in their Citrix profile.
> > >
> > >If you offer to pay for travel and expensese I would be more than happy
> > >to
> > >sketch this out on a clean whiteboard.
> > >
> > >Geez
> > >
> > >/m
> > >At 01:49 PM 7/17/00 -0500, Frank Knobbe wrote:
> > > >-----BEGIN PGP SIGNED MESSAGE-----
> > > >Hash: SHA1
> > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Monday, July 17, 2000 11:58 AM
> > > > >
> > > > > Actually you missed the point, with Kerberos, RADIUS or
> > > > > TACACS in place,
> > > > > the whole mechanism is transparent to the user. That is why
> > > > > it works.. :)
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOXTk7j7msCGEppcbAQEMFwgAyZoR/dF93F3FWeI0kaOtkmpEmiX37itI
b0gigaw9/T4IRE3F6c6pBF9P3GwIfB7Kj3T4hOthsOJsefJ+tHx0r+VDA7C+bklW
SQDqxpb+/rOggSqOvzRS7fmtFp0ZziescGPzqNasLV2Wn77gS0yiLgyY2l/IlsW0
kQeNIumO8qEtkcx4p+/jezQz+FmrdrWO9Hf7xANcXCxHJzu/A5ZzVoUAjSR0ihed
Oflsgmud6aaOPc6bMxSw5TaJ0Zxiya3s24AbPdQcBME8M9arIXLwKZPMcKuKaX5B
IKrLESF/GhRxUSRDQtxFyQwWQRabFezICB/FZwWBMrsjqaRl0Pz36Q==
=jPgN
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
