No subject
Tue Feb 22 18:54:42 UTC 2011
machine is easily compromised (and anything on it can and will be used
against you). One live CD, FTP location to copy the shadow file to, jack the
ripper (and time & CPU cycles) and you are open wide.
But with all things security you have to weigh up the cost of
security implementation (including inconvenience to users who will then
pester and annoy the systems team) with the cost (and likelihood) of
exploitation.
On 5 September 2011 08:24, Peter Childs <pchilds at bcs.org> wrote:
> I'm looking for a method to store passwords, that is
>
> a> Shared between multiple systems ie Kerbros so passwords on all the
> machine on the lan are the same and kept the same.
> b> Stored Local ie Shadow passwords so it works when the central database
> is down aka the KDC, and either locked till the central repository is back
> or resynchronised.
>
> I'm thinking of some kind of Distributed password database but I can't
> think of a simple method of implementing this.
>
> Any ideas, I can't think of anything that fits the bill.
>
> Peter.
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
--20cf307d023e2e8d6904ac2e67fd
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
One thought. If security is a concern this is=A0potentially=A0dangerous. A =
common way to exploit authentication on windows AD networks is that the cli=
ent computer remember the last 10=A0user-names/passwords=A0successfully=A0a=
uthenticated. This is useful to authenticate people when network=A0availabi=
lity=A0is unreliable. However if you are in a public environment or there i=
s a chance that someone might be interested in exploiting the network then =
having physical access to a machine which stores=A0user-names/passwords is =
a big security=A0vulnerability,=A0especially=A0if a network admin was one o=
f the last 10 people to access that machine. This is a very common mechanis=
m used to exploit MS based networks.<div>
<br></div><div>From a security mindset, once a person has physical access t=
o a machine that machine is easily compromised (and anything on it can and =
will be used against you). One live CD, FTP location to copy the shadow fil=
e to, jack the ripper (and time & CPU cycles) and you are open wide.</d=
iv>
<div><br></div><div>But with all things security you have to weigh up the c=
ost of security=A0implementation=A0(including inconvenience to users who wi=
ll then pester and annoy the systems team) with the cost (and=A0likelihood)=
of exploitation.<br>
<br><div class=3D"gmail_quote">On 5 September 2011 08:24, Peter Childs <spa=
n dir=3D"ltr"><<a href=3D"mailto:pchilds at bcs.org">pchilds at bcs.org</a>>=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex;">
I'm looking for a method to store passwords, that is<div><br></div><div=
>a> Shared between multiple systems ie Kerbros so passwords on all the m=
achine on the lan are the same and kept the same.</div><div>b> Stored Lo=
cal ie Shadow passwords so it works when the central database is down aka t=
he KDC, and either locked till the central=A0repository=A0is back or=A0resy=
nchronised.=A0</div>
<div><br></div><div>I'm thinking of some kind of Distributed password d=
atabase but I can't think of a simple method of implementing this.</div=
><div><br></div><div>Any ideas, I can't think of anything that fits the=
bill.</div>
<div><br></div><font color=3D"#888888"><div>Peter.</div>
</font><br>_______________________________________________<br>
Kent mailing list<br>
<a href=3D"mailto:Kent at mailman.lug.org.uk">Kent at mailman.lug.org.uk</a><br>
<a href=3D"https://mailman.lug.org.uk/mailman/listinfo/kent" target=3D"_bla=
nk">https://mailman.lug.org.uk/mailman/listinfo/kent</a><br></blockquote></=
div><br></div>
--20cf307d023e2e8d6904ac2e67fd--
More information about the Kent
mailing list