I agree that / accounts are very useful. My organization assigns me one (and only one) username.
My regular account has a strong password. My /wireless account has a different password, and I let my PC 'remember' it so I don't have to type it just to connect to the wireless network using 802.1x. My /test account has a weak (but easy to type) password, but does not have access to anything important. My /admin account had a stronger password (I am no longer an admin, so that account is disabled now). -- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) [email protected] 734-647-6524 desk On Sat, Jan 19, 2013 at 10:58 PM, Chris Hecker <[email protected]> wrote: > > > do you really think that people use different passwords for */admin > > principals than their regular user principals? > > I do. And, I use / a lot for test accounts and all sorts of stuff. > > Chris > > > > On 2013-01-19 15:46, Nico Williams wrote: > > On Fri, Jan 18, 2013 at 1:35 PM, Russ Allbery <[email protected]> wrote: > >> Nico Williams <[email protected]> writes: > >>> There's really no point to the /admin thing: since the server requires > >>> INITIAL tickets there's no risk of use of stolen TGTs for accessing > >>> kadmin, and if you were to have different pre-authentication > >>> requirements for kadmin than for initial TGTs the protocol does allow > >>> that. > >> > >> Er, it's still a good security practice to use a separate set of > >> credentials that you don't type into everything all the time to do your > >> daily work. Particularly given that we still live in a world where > >> there's a lot of SASL PLAIN over TLS. > > > > That might be true, but a) do you really think that people use > > different passwords for */admin principals than their regular user > > principals? and b) there's no reason that we couldn't have different > > credentials for this without having different identifiers. > > > >> It also lets you do things like assign /admin principals randomized keys > >> and require that people use PKINIT. > > > > kadmind could just require that hardware pre-auth have been done in > > order to allow certain operations. > > > > See also (b) above. Granted, (b) could only work as long as kadmind > > requires INITIAL tickets, or, if it didn't, as long as the client knew > > how to request extra/different pre-auth and the KDC knew how to label > > the resulting tickets as being differently pre-authenticated. And > > yes, we can do that. > > > >> So no, there is definitely a point. > > > > But I don't believe that distinct names is necessary for this. > > > > Nico > > -- > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
