[JDEV] digest and ldap and authentication
Donn Cave
donn at u.washington.edu
Mon Jul 31 19:21:51 CDT 2000
Quoth mark at mjwilcox.com:
| You do send your password over the wire during the initial Kerberos
| login.
You don't, even during the initial login. The system sends you
a ticket encrypted in your password, loosely speaking, and you
decrypt it. That's all the initial login amounts to.
The main point though is the application services. Something like
SSL is fine if you either have one password per service, or you
have all the services in one central trusted site. If you have
a site wide password, and a service supported somewhere outside
its central computing facility, you have at best added to the
number of people you have to trust. (Mainly that means, trusting
in their competence to avoid being hacked.) At my site, a good
example would be a Jabber server on a PC in a dormitory room.
Kerberos makes it possible for that server to function in the
campus system, everyone can use their regular IDs without having
to consider that issue.
Donn Cave, donn at u.washington.edu
More information about the JDev
mailing list