Subject: Re: Status of Kerberos IV or 5
To: Chris Jones <cjones@honors.montana.edu>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
List: current-users
Date: 01/22/1998 21:09:52
>About portability: Can't you just do something like "xhost krb5", to
>allow kerberos-authenticated connections, and "xhost host.foo.edu" to do
>the normal host-based authentication thing? So, if your site has lots of
>kerberized-X machines, you gain some security. If you have to deal with
>non-kerberized X machines, you haven't really lost anything by having krb5
>on yours, have you?
Well, I would _hope_ you wouldn't be using xhost at all, since it's trust
is based on IP addresses, and those are pretty easy to spoof ... and anyone
on a machine you xhost can connect to your display, read your keystrokes,
insert synthetic X events to your applications ...
Xauth is mildly better ... about at the level of using a plaintext
password. Most cracker scripts haven't figured out how to exploit it ...
yet :-)
I understand your point about using the support when available ... but
if your coverage is very small (and considering the number of systems
that support it, it almost has to be :-) ), then I wonder if it's really
worth the effort.
--Ken