At 12:16 PM -0500 1/31/04, Sam Hartman wrote:
>>>>> "Henry" == Henry B Hotz <[EMAIL PROTECTED]> writes:
Henry> Well, what we do here is have the LDAP server do a kinit Henry> against the central kerberos server for authentication. Henry> Native kerberos is a lot more convenient for the users, but Henry> you can solve the security issues without it on a Henry> case-by-case basis.
If that's actually what you do, then you have even bigger security problems. A kinit, without verifying the resulting ticket against a host or service key is completely vulnerable to spoofed KDCs.
The code was done years ago by someone who doesn't work here anymore, but no I don't think it uses a keytab.
In any case both machines are physically secure and the KDC is contacted over a private network connection. I think the risk is small.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
