Subject: Re: kerberos in 1.5_ALPHA
To: None <current-users@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: current-users
Date: 07/17/2000 04:20:41
On Sun, Jul 16, 2000 at 01:00:12PM -0700, Jason R Thorpe wrote:
> On Sun, Jul 16, 2000 at 12:02:00PM -0700, Paul Goyette wrote:
>
> > > In the Athena environment (the original user of Kerberos), Hesiod (i.e.
> > > "dns" in nsswitch.conf) is used for the user/group database info,
> >
> > So, shouldn't use of Kerberos for password changing depend on presence
> > of DNS in the nsswitch.conf entry for password? Currently, setting
> > nsswitch.conf to "files" only still doesn't disable Kerberos attempts.
>
> No. I was only pointing out that Kerberos is separate from where the
> user information comes from.
Furthermore, Kerberos for passwords and NIS (YP) for everything else is
a somewhat common configuration.
Of course, this suffers the same problems as Kerberos plus DNS for the
user database information: an attacker can swap out the user's shell, or,
for example, put "::" or a known password into the pw->passwd field of
the user's passwd database record and bypass Kerberos or gain access the
user shouldn't have. Fixing *that* properly requires DNSSEC for the Hesiod
records; most sites use various special-purpose hacks of dubious value,
or rsync out an actual password file using a secure transport.