Excuse me, the ticket is only good for that session only. The reason why
the solution is elegant is because it is freely available versus spending
lots of money on a how bunch of vendor ick or snake Oil which then becomes
a vendor nightmare. I know a whole bunch of consultants who love to charge
lots of money for these great and expensive solutions when one can download
some free software, slap it together and Voila.
Nothing is secure is truly secure, unless one decides to spend lots and
lots of money to protect their organization as the Government does with
Fort Knox.. :)
The point being if users pick dumb passwords, then the person who is
responsible for enforcing the password policy.
Kereberos is just one layer of the solution. There are some security
refinements one can turn on on the Unix side or NT side of things to
enforce good passwords.
Let's get something straight here, implementing Citrix Metaframe should not
be like the government trying to fix the Hubble Telescope. At least they
figured out how to get into space. Whether it works or not is another story..
Be me guest if you want the user to remember they have to remember their
username, their password and carry this dorky token thing around.. If you
are going down that path, why not just spend the money and have every
single employee web-wired (see Johnny Mneumonic ).. That way this is whole
discussion is then mute. All one needs to worry about then is very large
dolphin :)
/m
At 11:35 AM 7/18/00 +0930, Ben Nagy wrote:
>(Sorry about the busted indenting - I'm at a customer site)
>
>I'm really sorry to insult your obviously vast intelligence and try your
>obviously short patience, but I don't think I've actually "missed the point"
>at all.
>
>You, on the other hand, seem to be labouring under several misapprehensions:
>
>1. That a "kerberized" session is somehow much more secure than a
>non-kerberized one. Kerberos allows for endpoint/service/user
>authentication. However, Kerberos is still reliant on users picking strong
>passwords.
>
>Kerberos does NOT offer any session level encryption or any other security
>mechanism - it's an _authentication_ protocol. Go read the spec - I refer
>you to RFC 1510 for the nitty-gritty, although there are probabaly much more
>digestable descriptions. Maybe you're confusing Kerberos with something
>else?
>
>2. That I'm talking about a utility issue. I'm not - I couldn't care less if
>the solution was transparent, slightly cumbersome or requires an incantation
>and a pint of the user's blood. I was merely mentioning that your
>"kerberized" solution could not be stronger than user passwords.
>
>In other words, if one were to pick "password" as their password, no amount
>of Kerberos or fancy filters can stop someone guessing the password and
>accessing the protected application.
>
>Contrast - the two-factor auth guys get to use _real_ authentication. This
>does NOT give them protection against direct attacks on the boxes or the
>service that don't rely on authentication, and you had some good ideas with
>regards to securing this area.
>
>3. That you're talking to a bunch of clueless morons on this list. How about
>you try to give us a little more credit, huh?
>
>Cheers,
>
>--
>Ben Nagy
>Lounging Around a Customer's Network
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>To: Frank Knobbe; Ben Nagy; [EMAIL PROTECTED]
>Sent: 18/07/00 7:10
>Subject: RE: Citrx Metaframe/NT4-TSE
>
>The mechanism that allows the user to log is transparent.. The user has
>no
>clue that they are being authenticated by RADIUS or TACACS, and that
>their
>session is kerberized.
>
>The users do not login to Citrix via telnet.
>
>The end or external user will have a Citrix client installed, and the
>connections are defined in their Citrix profile.
>
>If you offer to pay for travel and expensese I would be more than happy
>to
>sketch this out on a clean whiteboard.
>
>Geez
>
>/m
>At 01:49 PM 7/17/00 -0500, Frank Knobbe wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, July 17, 2000 11:58 AM
> > >
> > > Actually you missed the point, with Kerberos, RADIUS or
> > > TACACS in place,
> > > the whole mechanism is transparent to the user. That is why
> > > it works.. :)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
