slushpupie at gmail.com wrote:

>On 5/24/05, Richard Hoffbeck <rwh at visi.com> wrote:
>  
>
>>Jima wrote:
>>
>>    
>>
>>>On Tue, 24 May 2005, steve ulrich wrote:
>>>
>>>
>>>      
>>>
>>>>hmm - i have the same password on possibly thousands of boxes.  i'll
>>>>have to get the NIS+ admins on that pronto.
>>>>
>>>>
>>>>        
>>>>
>>>And if someone managed to get root on one of those NIS+-managed machines,
>>>they'd be able to get to your encrypted password, right?  Right?
>>>Slightly different subject, IMO.
>>>
>>>    Jima
>>>
>>>
>>>      
>>>
>>I think its pretty easy to argue that passwords, at least passwords
>>alone, are an idea whose time has come and gone. I've recently gone
>>through a bunch of the various password checkers, PAM modules, etc. and
>>it certainly appears that they impose sufficient restrictions on what
>>constitutes an acceptable password that they actually make the resulting
>>passwords more vulnerable to brute force attacks. If you look at the
>>reduced keyspace that comes from requiring specific character classes,
>>the elimination any passwords that contain character strings of 3
>>characters or more that appear in any of the specified dictionaries, and
>>just the psychology of memory it seems like you should be able to build
>>a smart password cracker to exploit those enforced weaknesses - maybe a
>>project for the summer :-)
>>    
>>
>
>Now that we are not on the same topic anymore- The whole idea behind
>Kerberos solves both the original problem and the one stated above. 
>Simply put, your password never goes accross the network, and you can
>log into any system in your realm by logging in once (single sign-on).
> Yes, it is much more complicated to set up, but if you are managing
>400+ systems, you likely have a complicated infrastructure in place
>already.  Of course, migrating to kerberos after you have 400+ systems
>set up is non-trivial.  Its easier to start from the ground up on that
>one.
>  
>
I've only got a dozen users so its hard to justify Kerberos for other
than intellectual curiousity - so it might get done anyway.

--rick