Six Kerberos/OS X/SSH observations and questions
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Mar 4 18:43:53 EST 2005
On Feb 28, 2005, at 9:02 AM, kerberos-request at mit.edu wrote:
> 6) The general advice I see on the issue of whether the NetInfo and
> Kerberos passwords should match is that this is a bad idea. Why? In
> scenario 5) (or scenario 4 without network connectivity) I would think
> I'd *prefer* to only have one password to remember that will work
> whether the login process succeeds in connecting to a KDC or instead
> falls over to NetInfo (Or is the other way around?). I'd also prefer
> that when I change my Kerberos password my NetInfo password also
> changes, and perhaps even vice versa. What are the horrible downsides
> to such password synchronization?
Depends on how concerned you are with the possibility of someone
cracking netinfo and then using the password to infiltrate the
Kerberized services. I haven't tracked all the issues but I don't
think netinfo is considered that secure. At the least it needs to be
set up correctly to be secure.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list