(Sorry about the busted indenting - I'm at a customer site)
I'm really sorry to insult your obviously vast intelligence and try your
obviously short patience, but I don't think I've actually "missed the point"
at all.
You, on the other hand, seem to be labouring under several misapprehensions:
1. That a "kerberized" session is somehow much more secure than a
non-kerberized one. Kerberos allows for endpoint/service/user
authentication. However, Kerberos is still reliant on users picking strong
passwords.
Kerberos does NOT offer any session level encryption or any other security
mechanism - it's an _authentication_ protocol. Go read the spec - I refer
you to RFC 1510 for the nitty-gritty, although there are probabaly much more
digestable descriptions. Maybe you're confusing Kerberos with something
else?
2. That I'm talking about a utility issue. I'm not - I couldn't care less if
the solution was transparent, slightly cumbersome or requires an incantation
and a pint of the user's blood. I was merely mentioning that your
"kerberized" solution could not be stronger than user passwords.
In other words, if one were to pick "password" as their password, no amount
of Kerberos or fancy filters can stop someone guessing the password and
accessing the protected application.
Contrast - the two-factor auth guys get to use _real_ authentication. This
does NOT give them protection against direct attacks on the boxes or the
service that don't rely on authentication, and you had some good ideas with
regards to securing this area.
3. That you're talking to a bunch of clueless morons on this list. How about
you try to give us a little more credit, huh?
Cheers,
--
Ben Nagy
Lounging Around a Customer's Network
-----Original Message-----
From: [EMAIL PROTECTED]
To: Frank Knobbe; Ben Nagy; [EMAIL PROTECTED]
Sent: 18/07/00 7:10
Subject: RE: Citrx Metaframe/NT4-TSE
The mechanism that allows the user to log is transparent.. The user has
no
clue that they are being authenticated by RADIUS or TACACS, and that
their
session is kerberized.
The users do not login to Citrix via telnet.
The end or external user will have a Citrix client installed, and the
connections are defined in their Citrix profile.
If you offer to pay for travel and expensese I would be more than happy
to
sketch this out on a clean whiteboard.
Geez
/m
At 01:49 PM 7/17/00 -0500, Frank Knobbe wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, July 17, 2000 11:58 AM
> >
> > Actually you missed the point, with Kerberos, RADIUS or
> > TACACS in place,
> > the whole mechanism is transparent to the user. That is why
> > it works.. :)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
