clear text password used
Kevin Longfellow
klongfel at yahoo.com
Thu Jun 10 09:58:08 EDT 2010
Hi,
After reading the Aims section at http://www.kerberos.org/software/tutorial.html, it states the users password must never travel over the network. Take for example using LDAP as the back end for the principals. For a security review, I need to understand the path of the clear text password:
user runs kinit - this is the only time the password is entered in clear text?
kinit uses the string2key function to create a hashed encrypted key that replaces the password?
The hashed encrypted key is sent to the kdc and the kdc uses this hashed encrypted key to check the original password is correct in LDAP?
Hopefully I'm being clear what I am asking, but basically this question will come up: will the clear text password ever be sent to the LDAP back end and possibly cached and therefore compromised.
Thanks for any assistance with this,
Kevin
More information about the Kerberos
mailing list