pkinit and passwords issues

Sam Hartman hartmans at MIT.EDU
Tue Feb 16 05:20:40 EST 2010

>>>>> "Jeffrey" == Jeffrey Altman <jaltman at> writes:

    >> 2) There is no valid password.  In which, the password should not
    >> be set to expire.

    Jeffrey> Setting a random password and setting it to never expire
    Jeffrey> results in there being a password that can be brute forced
    Jeffrey> over a long period of time and used as a backdoor.  It
    Jeffrey> would be much better if a property on the principal simply
    Jeffrey> indicated "no password authentication permitted" and be
    Jeffrey> done with it.

Jeff, I completely agree with you that such a property would be
desirable.  we don't currently have it.  I definitely think it would be
a step forward.

I'm not really convinced that the brute force concern is valid for AES,
3DES or RC4.  I agree it is a significant concern for DES.


More information about the krbdev mailing list