From owner-freebsd-security Fri Feb 2 21:13:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id CAAE337B491; Fri, 2 Feb 2001 21:13:33 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id AAA94021; Sat, 3 Feb 2001 00:13:30 -0500 (EST) (envelope-from wollman) Date: Sat, 3 Feb 2001 00:13:30 -0500 (EST) From: Garrett Wollman Message-Id: <200102030513.AAA94021@khavrinen.lcs.mit.edu> To: Robert Watson Cc: security@FreeBSD.ORG Subject: Re: PAM/SSH and KerberosIV? In-Reply-To: References: <200101310049.f0V0n1f15852@green.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I ran through the tests, and the following occurs: without the > pam_kerberosIV.so entry in /etc/pam.conf, you cannot log in using > kerberos. My feeling is that enabling pam_kerberosIV for anything other than login and xdm is an exceedingly poor idea. It's bad enough that most SSH clients confuse the issue by prompting for the password as if it were being processed locally. At least if you make users kinit manually, there's a fair understanding of what is actually happening where. The entire point and design of Kerberos is that you never, ever send your password over the net, not even over an encrypted channel except to change it. My own personal policy, which many would call overly strict, is to set `PasswordAuthentication no' on any sshd which knows how to do Kerberos. (I can't always implement my own policy even on machines completely under my control.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message