It is important to distinguish:
kerberized telnet
GOOD: user-workstation ------------------- remote-service
{windows AD login {password-free login
or unix kinit; using kerberos token}
kerberos telnet}
standard telnet
BAD: user-workstation ------------------- remote-service
{local login only; {pam_krb5
standard telnet} authentication}
Both use kerberos to do the authentication. However the pam_krb5
solution involves the user's kerberos password crossing the net
in the clear. Of course there are many cases where this is ok:
secure LAN, encrypted IPSEC link, etc. However we would like to
move to the real kerberos solution where passwords are only used
locally.
The problem is that the kerberos servers (such as kshd and
replacements for telnetd and ftpd) are I think not PAMified,
so installing kerberos can be a backward step in server
functionality. Is anyone working on this?
Bob
