[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Mapping userPassword to Kerberos 5

To: "'Stephen Frost'" <sfrost@snowman.net>, "'Benjamin Krein'" <superbenk@superk.org>
Subject: RE: Mapping userPassword to Kerberos 5
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 6 Aug 2003 08:53:27 -0700
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <20030806141423.GG12198@ns.snowman.net>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Stephen Frost

> I'd love to get some feedback from people on this, perhaps there are
> other cases where authentication through LDAP to Kerberos makes some
> sense.  Or perhaps there are other problems with pam_krb5 I've not run
> into.  If there's enough demand for the Debian packages to be compiled
> with --enable-kpasswd we may be willing to do this in the future.

As I've posted before - for the reasons you outline, we strongly discourage
people from using this kpasswd stuff. Likewise for pam_krb5; any mechanism
that lets you send a Kerberos password across a network completely defeats
whatever security Kerberos had to offer.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Mapping userPassword to Kerberos 5
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Re: Mapping userPassword to Kerberos 5
  - From: Stephen Frost <sfrost@snowman.net>

Prev by Date: Re: SASL EXTERNAL TLS question
Next by Date: RE: Mapping userPassword to Kerberos 5
Index(es):
- Chronological
- Thread