Path: utzoo!attcan!uunet!snorkelwacker!apple!bionet!agate!shelby!ctt.bellcore.com!lunt
From: lunt@ctt.bellcore.com (Steve Lunt)
Newsgroups: comp.protocols.kerberos
Subject: RE: Why is initial user authentication done the way it is?
Message-ID: <9006151330.AA28394@dduck.ctt.bellcore.com>
Date: 15 Jun 90 13:30:20 GMT
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 43


	Although with a modified kpasswd you can screen passwords which are set from your system, you cannot prevent a user from contacting the Kerberos server independent of your kpasswd and changing his password to something trivial.
If the user has a copy of the old kpasswd, he can simply use that.  Notice that kpasswd is not setuid.

-- Steve

----- Begin Included Message -----

Date: Thu, 14 Jun 90 23:43:18 -0400
From: bede@linus.mitre.org
Subject: RE: Why is initial user authentication done the way it is? 

...

At the risk of carrying the discussion off on a tangent:  the issue of
dictionary-based password attacks is, at many sites, moot.  For
example, we've rigidly enforced a rule here for about two years
prohibiting dictionary and various other "trivial" passwords for user
logins.  The muscle behind the policy is provided by a rather simple
password cracker I wrote, plus a modified version of passwd (and Real
Soon Now, kpasswd).

In a sense, support for extensions is already in Kerberos, just as it
is for passwd,  assuming you have the source code.  In our case, aside
from the locally-produced lookup code, the total modification to
(k)passwd amounts to less than 50 lines, but could be *much* less than
that, of course.

Regardless of the merits of the encryption/authentication scheme used,
it just makes sense to discourage trivial attacks right from the start,
if at all possible.


-Bede McCall

 Research Computing Facility
 MITRE Corp.          Internet: bede@mitre.org
 MS A114              UUCP: {decvax,philabs}!linus!bede
 Burlington Rd.
 Bedford, MA 01730    (617) 271-2839


----- End Included Message -----