[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: pkinit and passwords issues
From: Tom Yu <tlyu () MIT ! EDU>
Date: 2010-02-16 14:57:09
Message-ID: ldvhbphz0sa.fsf () cathode-dark-space ! mit ! edu
[Download RAW message or body]
Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> Setting a random password and setting it to never expire results in
> there being a password that can be brute forced over a long period of
> time and used as a backdoor. It would be much better if a property on
> the principal simply indicated "no password authentication permitted"
> and be done with it.
The "randkey" operation sets a random key, not a random password, so
the risk here is a brute force attack on the keyspace of the cipher,
not a dictionary attack. If you are using a cipher that has a
keyspace small enough to pose significant risk (e.g. single-DES), you
should consider using a stronger cipher.
There is still value in being able to disable password-based
authentication for a principal, such as a situation where the
administrator wants to keep a password-derived key around for a
principal but wants to temporarily disable password authentication for
policy reasons.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic