home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.kerberos
- Path: sparky!uunet!stanford.edu!ksr.com!dean
- From: dean@ksr.com
- Subject: Re: New User Accounts
- Message-ID: <199209032054.AA05377@magrathea.ksr.com>
- Sender: news@shelby.stanford.edu (USENET News System)
- Organization: Internet-USENET Gateway at Stanford University
- Date: Thu, 3 Sep 1992 20:54:10 GMT
- Lines: 36
-
- Yes, the scheme would require an /etc/srvtab. I don't see how to
- avoid this, unless the kerberos server knows the securID algorithm.
- This is difficult for us, as we would need to buy source to the
- securID server software.
-
-
- This definitely suffers from the problem of a compromised
- workstation. I don't think it changes the situation however, because
- if a workstation is compromised, the login program can be changed to
- steal the users password, or the tickets can be stolen after they are
- obtained.
-
- The securID code is a combination of a user chosen PIN, and a 6 or 8
- digit changing code, combining to form a minimum of a 10 or 12 digit
- number. I think this is unreasonable to crack by force in a short (8
- hour max for V4) time period. Though perhaps it is not. If the PIN
- is known, the user can definitely be cracked.
-
- Even so, a TGT or a new random key could be sent back over the
- existing secure channel. By sending a key rather than a TGT, I can
- easily configure accounts with passwords and accounts with SecurID
- cards, without having the client software aware of which is actually
- used. Also, the kerberos server and libraries don't need to be
- modified.
-
- Also, SecurID code replay can be avoided by keeping a cache of
- recently used SecurID codes, and insuring that they are only used
- once. Now, one only needs to worry about the users tickets being
- stolen should the workstation be compromised.
-
-
- --Dean
-
- Dean Anderson
- KSR Computing Facilities
- Kendall Square Research
-
