home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.kerberos
- Path: sparky!uunet!stanford.edu!MIT.EDU!warlord
- From: warlord@MIT.EDU (Derek Atkins)
- Subject: Re: New User Accounts
- Message-ID: <9209021949.AA17532@deathtongue.MIT.EDU>
- Sender: news@shelby.stanford.edu (USENET News System)
- Organization: Internet-USENET Gateway at Stanford University
- References: <199209021933.AA04400@magrathea.ksr.com>
- Date: Wed, 2 Sep 1992 19:49:40 GMT
- Lines: 23
-
- The point of using SecurID is so that you don't HAVE to type your
- password in the clear over the net. Granted, this might allow one to
- obtain a tgt using SecurID as the password (instead of the normal
- login password), however this doesnt solve the problem of
- re-authentication.
-
- Once you are logged in, if you want to reauthenticate, someone can
- watch as you type your password. Since the SecurID password is
- changed every minute, and is only good once, that isn't a problem,
- however to use your SecurID code as the password would require major
- hacking of the kerberos server and would probably make it incompatible
- with the current system. (I.e., how does the server know whether or
- not to expect a SecurID password or not).
-
- The solution here is not a simple one, so suggestions are open!
-
- (The real solution is to throw away SecurID as a method of
- login-password-authentication and extend kerberos all the way across
- the modem to the terminal.)
-
- -derek
-
-
-