Great Circle Associates Firewalls
(October 1993) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: System Security
From: "Perry E. Metzger" <pmetzger @ lehman . com>
Date: Wed, 27 Oct 1993 11:40:36 -0400
To: Bob Dew <rdew @ alw . nih . gov>
Cc: Firewalls @ greatcircle . com
In-reply-to: Your message of "Wed, 27 Oct 1993 10:10:31 EDT." <8gnc5LO0ts4j0twkdX @ alw . nih . gov>
Reply-to: pmetzger @ lehman . com 
Bob Dew says:
> Excerpts from Firewalls: 26-Oct-93 Re: System Security Richard
> Chycoski @
 wizard .
  (3341)
> 
> > If you think that Kerberos is secure on a multiuser machine, even without
> > root tampering, you're misinformed.
> 
> As I mentioned, the authenticating host can be remote.  We call this
> host the "cache manager".  The cache manager can be locked in vault and
> stripped of user accounts and of all non-rpc network access, if you want.

What are you talking about? You have to get kerberos tickets on the
host that is accessing AFS if you are going to get files. If you
didn't need to do this the system would not be secure, since anyone
can forge IP packets.

Perry
Follow-Ups:
References:
Indexed By Date Previous: sendmail hole and other platforms
From: Dorian Deane <dorian @ cobalt . house . gov>
Next: Re: System Security
From: Bob Dew <rdew @ alw . nih . gov>
Indexed By Thread Previous: Re: System Security
From: Bob Dew <rdew @ alw . nih . gov>
Next: Re: System Security
From: Bob Dew <rdew @ alw . nih . gov>
Google
 
Search Internet Search www.greatcircle.com