pkinit and passwords issues
hartmans at MIT.EDU
Tue Feb 16 05:20:40 EST 2010
>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
>> 2) There is no valid password. In which, the password should not
>> be set to expire.
Jeffrey> Setting a random password and setting it to never expire
Jeffrey> results in there being a password that can be brute forced
Jeffrey> over a long period of time and used as a backdoor. It
Jeffrey> would be much better if a property on the principal simply
Jeffrey> indicated "no password authentication permitted" and be
Jeffrey> done with it.
Jeff, I completely agree with you that such a property would be
desirable. we don't currently have it. I definitely think it would be
a step forward.
I'm not really convinced that the brute force concern is valid for AES,
3DES or RC4. I agree it is a significant concern for DES.
More information about the krbdev