KfM 4.0b7: a few questions

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jan 31 14:55:00 EST 2002

>I'm unclear why is it such a problem to train users to only type 
>their password into the Kerberos Login Server dialog.  We present a 
>distinctive and consistent user interface, Dock icon and launch path. 
>Our KerberosLoginServer.app (separate from the Kerberos.app) resides 
>in a location owned by root/wheel so admin users can't modify it 
>without typing in their admin passwords.  Any security conscious user 
>can verify via their favorite process monitor that only a user with 
>root access could have tampered with their Kerberos dialog.

I'm not sure it was an issue of a trojan application versus the general
concept that the Kerberos password is "special" and you shouldn't
reveal it to any application that asks for it (e.g. a web browser) but
only to a specific one.  But it sounds like the consistant UI you've
described (something which I didn't completely understand before) is a
better solution.


More information about the krbdev mailing list