Bugtraq mailing list archives
Re: Plain text passwords--necessary
From: tep () SDSC EDU (Tom Perrine)
Date: Tue, 20 Apr 1999 12:14:30 -0700
On Tue, 20 Apr 1999 13:23:33 +1000, Chris <chris () ORMOND UNIMELB EDU AU> said:
Chris> Perhaps it would be possible to use an authentication agent with which to Chris> store user passwords for services so that the user is only prompted once per Chris> session (indeed, their login password could maybe suffice). This password Chris> is used as the private key to a small db of passwords, which any program Chris> can register with. The concept is akin to ssh-agent. Would this be a Chris> possible thing - or is their problems with this approach as well? How Chris> difficult would it be to implement? Congratulations. You have just re-discovered Single Sign On (SSO) :-) Kerberos, DCE, and some PKI-based systems such as Grid Security Infrastructure are all designed to provide "one account, one authentication, all authorized services everywhere authorized" for users. All of these require some trusted agent to perform as a trusted proxy for you; dispensing credential on demand as they are requested. SSH-agent in an implementation of a SSO system, with the agent as the proxy that holds your SSH passphrase. In Kerberos/DCE, the KDC performs this service. In GSI, you self-sign an X.509 cert that has limited lifetime (just like a Kerberos TGT). You pick your infrastructure, and you take your chances :-) You have to trust *something* to hold your credentials safely, and only perform the right actions at the right time, to the right hosts/services. "Where do you want your keys to go today?" :-) --tep
Current thread:
- Re: Shopping Carts exposing CC data, (continued)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
- Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)
- eBay password stealing with JavaScript Michael K. Sanders (Apr 20)
- Re: eBay password stealing with JavaScript Paul Festa (Apr 21)
- Bug in Linux Mount Jacek Konieczny (Apr 20)
- Re: Bug in Linux Mount Meelis Roos (Apr 20)
- Re: Plain text passwords--necessary Tom Perrine (Apr 20)