Paul Blackburn <[EMAIL PROTECTED]> writes:
> Hello Richard,
>
> As I understand it, kpwvalid is executed out of $PATH.
> So, how do you ensure folks are:
> a) executing it at all?
> b) executing a bona fide kpwvalid?
Exactly. This was our reason for backing off on it. Both binaries, klog and
kpwvalid, had to be in the same afs directory with very tight acls. All a
user had to do was copy the klog binary down to the machine (if we'd tried to
keep it off there in the first place) and it would then skip the callout to
kpwvalid. You'd have to combine its use with running something like crack
against an offline copy of the kas database to have any assurance that it was
not being bypassed whether deliberately or accidentally.
David
----------------------------------------------------------------
David Littlewood Tie Line 793-8832
email: [EMAIL PROTECTED] Phone 512-823-8832
http://w3.austin.ibm.com/~davidl
