clear text password used

Weijun Wang Weijun.Wang at sun.com
Thu Jun 10 10:18:45 EDT 2010


On Jun 10, 2010, at 9:58 PM, Kevin Longfellow wrote:

> 
> Hi,
> 
> After reading the Aims section at http://www.kerberos.org/software/tutorial.html, it states the users password must never travel over the network.  Take for example using LDAP as the back end for the principals.  For a security review, I need to understand the path of the clear text password:
> 
> user runs kinit - this is the only time the password is entered in clear text?

Yes.

> 
> kinit uses the string2key function to create a hashed encrypted key that replaces the password?

Hashed, but not encrypted.

> 
> The hashed encrypted key is sent to the kdc and the kdc uses this hashed encrypted key to check the original password is correct in LDAP?

NO! the key is never sent on the wire, neither plain or encrypted. Client and KDC simply send encrypted content (encrypted with this key) back and forth so that each side can be assured that the other side knows this key.

Max

> 
> Hopefully I'm being clear what I am asking, but basically this question will come up: will the clear text password ever be sent to the LDAP back end and possibly cached and therefore compromised.
> 
> Thanks for any assistance with this,
> 
> Kevin
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list