Security issue with pam-krb5 ?
bdavids1 at gmu.edu
Wed Aug 27 16:15:36 EDT 2003
On Wednesday, August 27, 2003, at 03:47 PM, Steve Langasek wrote:
> On Wed, Aug 27, 2003 at 03:37:24PM -0400, Brian Davidson wrote:
>> On Wednesday, August 27, 2003, at 02:16 PM, Matthijs Mohlmann wrote:
>>> Am i right when i say libpam-krb5 send's the password cleartext over
>>> network ?
>> In a nutshell, yes. The username & password is still sent across the
>> network to the daemon as if you weren't using libpam-krb5. Instead of
>> checking the passwd file, libpam-krb5 attempts to obtain a TGT from
>> your KDC. Successfully obtaining a TGT means you are authenticated.
> libpam-krb5 does *not* send passwords across the network; it is the
> software that would be sending passwords across the network in the
> if being used from a PAMified network server. This is not a function
> libpam-krb5, but a function of PAM itself. Any communication between
> libpam-krb5 and the KDC is properly secured.
Correct. I should have read the initial question more carefully. When
you use libpam-krb5, the password is sent plain text, but it's not
libpam-krb5 sending the plaintext... I read it as "does the password
get sent in plaintext?"
More information about the Kerberos