Date: Sat, 3 Feb 2001 00:13:30 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Re: PAM/SSH and KerberosIV? Message-ID: <200102030513.AAA94021@khavrinen.lcs.mit.edu> In-Reply-To: <Pine.NEB.3.96L.1010202210509.37792A-100000@fledge.watson.org> References: <200101310049.f0V0n1f15852@green.dyndns.org> <Pine.NEB.3.96L.1010202210509.37792A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Fri, 2 Feb 2001 21:14:38 -0500 (EST), Robert Watson <rwatson@FreeBSD.ORG> said: > I ran through the tests, and the following occurs: without the > pam_kerberosIV.so entry in /etc/pam.conf, you cannot log in using > kerberos. My feeling is that enabling pam_kerberosIV for anything other than login and xdm is an exceedingly poor idea. It's bad enough that most SSH clients confuse the issue by prompting for the password as if it were being processed locally. At least if you make users kinit manually, there's a fair understanding of what is actually happening where. The entire point and design of Kerberos is that you never, ever send your password over the net, not even over an encrypted channel except to change it. My own personal policy, which many would call overly strict, is to set `PasswordAuthentication no' on any sshd which knows how to do Kerberos. (I can't always implement my own policy even on machines completely under my control.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102030513.AAA94021>