Principal naming

Bob Harold rharolde at umich.edu
Mon Jan 21 13:49:09 EST 2013


I agree that / accounts are very useful.  My organization assigns me one
(and only one) username.

My regular account has a strong password.
My /wireless account has a different password, and I let my PC 'remember'
it so I don't have to type it just to connect to the wireless network using
802.1x.
My /test account has a weak (but easy to type) password, but does not have
access to anything important.
My /admin account had a stronger password (I am no longer an admin, so that
account is disabled now).

-- 
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharolde at umich.edu
734-647-6524 desk


On Sat, Jan 19, 2013 at 10:58 PM, Chris Hecker <checker at d6.com> wrote:

>
> > do you really think that people use different passwords for */admin
> > principals than their regular user principals?
>
> I do.  And, I use / a lot for test accounts and all sorts of stuff.
>
> Chris
>
>
>
> On 2013-01-19 15:46, Nico Williams wrote:
> > On Fri, Jan 18, 2013 at 1:35 PM, Russ Allbery <rra at stanford.edu> wrote:
> >> Nico Williams <nico at cryptonector.com> writes:
> >>> There's really no point to the /admin thing: since the server requires
> >>> INITIAL tickets there's no risk of use of stolen TGTs for accessing
> >>> kadmin, and if you were to have different pre-authentication
> >>> requirements for kadmin than for initial TGTs the protocol does allow
> >>> that.
> >>
> >> Er, it's still a good security practice to use a separate set of
> >> credentials that you don't type into everything all the time to do your
> >> daily work.  Particularly given that we still live in a world where
> >> there's a lot of SASL PLAIN over TLS.
> >
> > That might be true, but a) do you really think that people use
> > different passwords for */admin principals than their regular user
> > principals? and b) there's no reason that we couldn't have different
> > credentials for this without having different identifiers.
> >
> >> It also lets you do things like assign /admin principals randomized keys
> >> and require that people use PKINIT.
> >
> > kadmind could just require that hardware pre-auth have been done in
> > order to allow certain operations.
> >
> > See also (b) above.  Granted, (b) could only work as long as kadmind
> > requires INITIAL tickets, or, if it didn't, as long as the client knew
> > how to request extra/different pre-auth and the KDC knew how to label
> > the resulting tickets as being differently pre-authenticated.  And
> > yes, we can do that.
> >
> >> So no, there is definitely a point.
> >
> > But I don't believe that distinct names is necessary for this.
> >
> > Nico
> > --
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list