[JDEV] digest and ldap and authentication

[mark at mjwilcox.com]

On 31 Jul 00, at 17:21, Donn Cave wrote:

> Quoth mark at mjwilcox.com:
> | You do send your password over the wire during the initial Kerberos 
> | login.
> 
> You don't, even during the initial login.  The system sends you
> a ticket encrypted in your password, loosely speaking, and you
> decrypt it.  That's all the initial login amounts to.
That I didn't know.
> 
> The main point though is the application services.  Something like
> SSL is fine if you either have one password per service, or you
> have all the services in one central trusted site.  If you have
> a site wide password, and a service supported somewhere outside
> its central computing facility, you have at best added to the
> number of people you have to trust.  (Mainly that means, trusting
> in their competence to avoid being hacked.)  At my site, a good
> example would be a Jabber server on a PC in a dormitory room.
> Kerberos makes it possible for that server to function in the
> campus system, everyone can use their regular IDs without having
> to consider that issue.
This is a good point, but until Kerberos is everywhere, there's not 
much you can do about it. Though you better protect your TGS in 
Kerberos, otherwise the entire game is up.

SSL is still better than plaintext passwords & client side 
certificates would solve other problems besides just Jabber 
authentication (the answer to preventing SPAM & "I Love You" is to 
force everyone to digitally sign their email).


Mark
> 
> 	Donn Cave, donn at u.washington.edu
> 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> 


Mark Wilcox
mark at mjwilcox.com
Got LDAP?