Date: Thu, 25 Mar 1999 01:05:58 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Mike Thompson <miket@dnai.com> Cc: Gary Gaskell <gaskell@isrc.qut.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <199903250905.BAA95946@apollo.backplane.com> References: <199903250426.UAA68023@apollo.backplane.com> <4.1.19990324234311.00a0eba0@mail.dnai.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:The general concensus seems to be that rsh and like tools can be easily
:hacked, kerberos or no kerberos.
:
:Thanks again,
Well, for rsh or telnet configured for kerberos-only operation, it's
reasonably safe. The one problem with this is that kerberos defaults
to disabling encryption ... you have to explicitly enable it.
In general, the biggest security hole with standard tools such as ftp,
rsh, telnet, and rlogin ( non-kerberos ) is that they pass plaintext
and both initial passwords and passwords passed later on are vulnerable
to interception. With kerberos and no encryption by default, these tools
are still vulnerable. You can get into the account just fine without
exposing a password, but once in the account if you need to type a
password of any sort in to do something else, *that* password is
vulnerable to interception.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903250905.BAA95946>