On 4/27/22 18:39, Demi Marie Obenour wrote:
On 4/27/22 12:27, Michael Ströder wrote:
On 4/27/22 14:37, Jahnke-Zumbusch, Dirk wrote:
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps/submission services (tls encrypted of course)
one way to authenticate may be using Kerberos.
Not recommended for roaming users accessing submission service via
public Internet.
Hard disagree; Kerberos is safe for use over the Internet.
Well, if you believe that it's ok for you to use it.
My personal preference is to avoid storing shared secrets in a directly
accessible network services. And I'm saying this as somebody who tried
hard to secure OATH-LDAP services (HOTP with Yubikey and OpenLDAP).
BTW: My doubts are not about the Kerberos crypto used. My doubts are
rather about the many unknown security bugs in all the systems involved
which might allow attackers to get hold of the shared secrets.
Ciao, Michael.
