On Sat, 17 Aug 2002, Andreas Aardal Hanssen wrote: > On Fri, 16 Aug 2002, Murat Bicer wrote: > >Passwords are not stored plaintext. > >The authentication is plaintext. > > Using Kerberos? You certainly need to store passwords in plaintext > (or be able to retreive them in plaintext) to implement Kerberos. > > >To avoid people capturing your passwords, you will encrypt the session > >using ssl or TLS. > > I think you've misunderstood.. I'm talking about server implementation of > Kerberos. Have you implemented Kerberos before? > > Andy
Yes, the Kerberos KDC is the weak point in the Kerberos system. Most implementations protect the data (passwords, etc) using a symmetric (reversible) encryption method. There is a "master key" that is used by the server for this purpose. (look at the MIT Kerberos docs). Do specifically need Kerberos or just some 'GSSAPI' system? There was the "Globius" project that was working on a GSSAPI implementation that used RSA/PKI as the underlying technology. (sorry, I no longer have the reference for it). If you just need a secure authentication system for networked applications, check out SRP <http://srp.stanford.edu> no cleartext passwords anywhere. ;) Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
