[6924] in Kerberos
Re: TACCAS authentication server
daemon@ATHENA.MIT.EDU (Ken Sallenger)
Thu Mar 21 06:26:09 1996
To: kerberos@MIT.EDU
Date: 20 Mar 1996 23:03:58 -0500
From: ken@animal.csd.sc.edu (Ken Sallenger)
Reply-To: ken@bigbird.csd.sc.edu (Ken Sallenger)
In article <199603191359.IAA00494@gza-client1.cam.ov.com>,
Donald T. Davis <don@cam.ov.com> wrote:
=> r. tharakan asks
=> > Is is related to kerberos in any way ? It happens to be in use in India
No, not related to Kerberos. As Donald points out, it sends unencrypted
passwords in a packet over the network.
If we have physical control control over the LANs/routers it traverses,
from the terminal server to the TACACS server; it should be ... less
insecure.
There is code available from a couple of sources (Cisco, Datability?)
for a server which verifies the authentication request with the Unix
password system.
I have worked on factoring this out as a subroutine (well it's in C, so
it's a function), with a view to using a different method, or even
calling (more securely) an authentication server on a third host.
It's very straightforward; but I'd be happy to share that and some
clean-up I've done along the way.
=> * the centralized pw server may be prepared to use the kdc
=> as a pw-database. this violates krb's design principles,
=> though.
If we control the LAN, and (the big if) if we treat the TACACS
server just as we would a kerberos server, it improves the situation.
--
Ken Sallenger / ken@sc.edu / 803 777-9335
Computer Services Division / Univ. of South Carolina, Columbia SC
