XMPP & Kerberos 5
Russ Allbery
rra at stanford.edu
Mon Nov 30 12:48:24 EST 2009
Dax Kelson <dkelson at gurulabs.com> writes:
> Don't most people use Kerberos in conjunction with LDAP? Also isn't it
> typical to have LDAP server doing passthrough authentication (for simple
> bind operations) to the KDC?
I certainly hope not. I suspect that it's far more common than I'd like,
but it's a violation of the Kerberos security model and exposes the user's
password to rather more systems than should need to see it.
We require GSSAPI binds for all authenticated access to our LDAP servers
and don't allow simple binds at all except for anonymous binds.
The correct way of using Kerberos is for the user's credentials to never
leave the local system. In practice, it's an ideal that usually can't be
reached, but every place where the Kerberos password leaves the local
system and is validated on a remote system is a place that's going to
break when you want to switch to something better than passwords, such as
smart-card authentication.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list