[315] in Kerberos
re: Yet another addendum
daemon@TELECOM.MIT.EDU (Jerome H. Saltzer)
Sat Jan 30 12:00:07 1988
To: kerberos@ATHENA.MIT.EDU
In-Reply-To: bcn@june.cs.washington.edu (Clifford Neuman)'s message of Thu, 28 Jan 88 17:22:56 PST
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
> The answer to Jeff's problem is to require that the response to a
> request from kerberos for a ticket with a different internet address
> come back encrypted in the users secret key instead of the session
> key. As such, the user would be required to type in his password
> again.
That proposal smells almost right for the case when you WANT the user
to type a password as part of moving to a new environment. The only
problem I see is that if while logged in at A you rlogin to B, then
from B you rlogin to C, you still end up sending your password over
the net from A to B. The user could able avoid this exposure by
always doing rlogins directly from A, but it requires some
indoctrination to realize why it is worth the bother.
However, I find very appealing Steve's argument that, once
identified, you should be able to navigate without exposing your
password at all, even to the local workstation. I suspect it is
easier for a user to understand (and protect against) the exposure in
leaving a workstation unattended than the exposure in doing rlogin
from a to b to c.
I think this is a fairly tough call, trading off subtle objectives.
The discussion about flags leaves me cold. Noone will ever
understand how to set them to get the right result.
Jerry
