Apps aquiring tickets (was Re: gssapi/openssh)

James F.Hranicky jfh at cise.ufl.edu
Fri May 2 11:33:30 EDT 2003


On Fri, 02 May 2003 10:05:26 -0500
"Douglas E. Engert" <deengert at anl.gov> wrote:

> You are asking for trouble if any application can ask the user to
> enter their password at any time. They will, and will try all of
> their passwords if they have too. Better to train them to entry it 
> only specific times, like login, and be suspicious if any application
> asks for their password.    

Even a standard, well documented one?

Users of Kerberized apps have to "do something" when the TGT expires, why
not let them be prompted?

This sort of social engineering can happen whether or not "kinitd" exists,
so why not train them to *only* input the password when the kinitd pops
up the prompt?

I would surmise that the likelihood of someone popping up a trojan prompt
is roughly equivalent to the likelihood of someone replacing the kinit
binary itself.

> Kerberos does this.

Well, it can do this, or apps can set their own with the KRB5CCNAME 
env variable. I submit with 2), you wouldn't need to do this nearly
as often.

> >         2) the ticket cache could contain TGTs for multiple realms

Jim


More information about the Kerberos mailing list