On Wed, Aug 27, 2003 at 03:37:24PM -0400, Brian Davidson wrote: > On Wednesday, August 27, 2003, at 02:16 PM, Matthijs Mohlmann wrote:
> >Am i right when i say libpam-krb5 send's the password cleartext over > >the > >network ? > In a nutshell, yes. The username & password is still sent across the > network to the daemon as if you weren't using libpam-krb5. Instead of > checking the passwd file, libpam-krb5 attempts to obtain a TGT from > your KDC. Successfully obtaining a TGT means you are authenticated. libpam-krb5 does *not* send passwords across the network; it is the client software that would be sending passwords across the network in the clear if being used from a PAMified network server. This is not a function of libpam-krb5, but a function of PAM itself. Any communication between libpam-krb5 and the KDC is properly secured. > If you use libpam-krb5 for telnet, then your username and password go > across in plaintext. Same for ftp. If you use ssh, then they are > encrypted. Anything running over SSL should allow you to *relatively* > securely use libpam-krb5 for authentication. s/libpam-krb5/PAM/ > The downside is that a modified libpam-krb5 on a system could steal > passwords & stash them in a file. "Pure" kerberos won't allow that to > happen, since hosts never receive the user's password. Right. -- Steve Langasek postmodern programmer ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
