Six Kerberos/OS X/SSH observations and questions

Henry B. Hotz hotz at jpl.nasa.gov
Fri Mar 4 18:43:53 EST 2005


On Feb 28, 2005, at 9:02 AM, kerberos-request at mit.edu wrote:

> 6) The general advice I see on the issue of whether the NetInfo and
> Kerberos passwords should match is that this is a bad idea. Why? In
> scenario 5) (or scenario 4 without network connectivity) I would think
> I'd *prefer* to only have one password to remember that will work
> whether the login process succeeds in connecting to a KDC or instead
> falls over to NetInfo (Or is the other way around?). I'd also prefer
> that when I change my Kerberos password my NetInfo password also
> changes, and perhaps even vice versa. What are the horrible downsides
> to such password synchronization?

Depends on how concerned you are with the possibility of someone  
cracking netinfo and then using the password to infiltrate the  
Kerberized services.  I haven't tracked all the issues but I don't  
think netinfo is considered that secure.  At the least it needs to be  
set up correctly to be secure.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu



More information about the Kerberos mailing list