LDAP/Kerberos Integration
Henry B. Hotz
hotz at jpl.nasa.gov
Sat Jan 31 17:11:47 EST 2004
Sorry about not fixing the subject in the last email.
At 12:16 PM -0500 1/31/04, Sam Hartman wrote:
> >>>>> "Henry" == Henry B Hotz <hotz at jpl.nasa.gov> writes:
>
> Henry> Well, what we do here is have the LDAP server do a kinit
> Henry> against the central kerberos server for authentication.
> Henry> Native kerberos is a lot more convenient for the users, but
> Henry> you can solve the security issues without it on a
> Henry> case-by-case basis.
>
>If that's actually what you do, then you have even bigger security
>problems. A kinit, without verifying the resulting ticket against a
>host or service key is completely vulnerable to spoofed KDCs.
The code was done years ago by someone who doesn't work here anymore,
but no I don't think it uses a keytab.
In any case both machines are physically secure and the KDC is
contacted over a private network connection. I think the risk is
small.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list