Security issue with pam-krb5 ?
Sam Hartman
hartmans at MIT.EDU
Thu Aug 28 15:54:08 EDT 2003
>>>>> "Brian" == Brian Davidson <bdavids1 at gmu.edu> writes:
Brian> On Wednesday, August 27, 2003, at 02:16 PM, Matthijs
Brian> Mohlmann wrote:
>> Am i right when i say libpam-krb5 send's the password
>> cleartext over the network ?
Brian> libpam-krb5 attempts to obtain a TGT from your KDC.
Brian> Successfully obtaining a TGT means you are authenticated.
Actually, no, you need to verify this TGT against some known service
principal like the local host key.
Successfully obtaining a TGT only implies authentication if the user
anda spoofed KDC aren't cooperating.
More information about the Kerberos
mailing list