Security issue with pam-krb5 ?

Brian Davidson bdavids1 at gmu.edu
Wed Aug 27 15:37:24 EDT 2003


On Wednesday, August 27, 2003, at 02:16 PM, Matthijs Mohlmann wrote:

>
> Am i right when i say libpam-krb5 send's the password cleartext over 
> the
> network ?

In a nutshell, yes.  The username & password is still sent across the 
network to the daemon as if you weren't using libpam-krb5.  Instead of 
checking the passwd file, libpam-krb5 attempts to obtain a TGT from 
your KDC.  Successfully obtaining a TGT means you are authenticated.

If you use libpam-krb5 for telnet, then your username and password go 
across in plaintext.  Same for ftp.  If you use ssh, then they are 
encrypted.  Anything running over SSL should allow you to *relatively* 
securely use libpam-krb5 for authentication.

The downside is that a modified libpam-krb5 on a system could steal 
passwords & stash them in a file.  "Pure" kerberos won't allow that to 
happen, since hosts never receive the user's password.

Security being a delicate balancing act between convenience & security, 
this is one of those things you'll have to make a call on.  Personally, 
I'm fine with the slightly reduced security I get by using libpam-krb5 
with ssh.  I wouldn't dream of using it for telnet or ftp though.  In 
other environments, ssh might even be unacceptable.

Brian Davidson
george Mason University



More information about the Kerberos mailing list