KfM 4.0b7: a few questions
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Jan 31 14:55:00 EST 2002
>I'm unclear why is it such a problem to train users to only type
>their password into the Kerberos Login Server dialog. We present a
>distinctive and consistent user interface, Dock icon and launch path.
>Our KerberosLoginServer.app (separate from the Kerberos.app) resides
>in a location owned by root/wheel so admin users can't modify it
>without typing in their admin passwords. Any security conscious user
>can verify via their favorite process monitor that only a user with
>root access could have tampered with their Kerberos dialog.
I'm not sure it was an issue of a trojan application versus the general
concept that the Kerberos password is "special" and you shouldn't
reveal it to any application that asks for it (e.g. a web browser) but
only to a specific one. But it sounds like the consistant UI you've
described (something which I didn't completely understand before) is a
better solution.
--Ken
More information about the krbdev
mailing list