Am i right when i say libpam-krb5 send's the password cleartext over the
network ?
In a nutshell, yes. The username & password is still sent across the network to the daemon as if you weren't using libpam-krb5. Instead of checking the passwd file, libpam-krb5 attempts to obtain a TGT from your KDC. Successfully obtaining a TGT means you are authenticated.
If you use libpam-krb5 for telnet, then your username and password go across in plaintext. Same for ftp. If you use ssh, then they are encrypted. Anything running over SSL should allow you to *relatively* securely use libpam-krb5 for authentication.
The downside is that a modified libpam-krb5 on a system could steal passwords & stash them in a file. "Pure" kerberos won't allow that to happen, since hosts never receive the user's password.
Security being a delicate balancing act between convenience & security, this is one of those things you'll have to make a call on. Personally, I'm fine with the slightly reduced security I get by using libpam-krb5 with ssh. I wouldn't dream of using it for telnet or ftp though. In other environments, ssh might even be unacceptable.
Brian Davidson george Mason University
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
