LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Kerberos displays username in cleartext while logging to Active Directory, is it ok? (http://www.linuxquestions.org/questions/linux-security-4/kerberos-displays-username-in-cleartext-while-logging-to-active-directory-is-it-ok-4175437095/)

patmut 11-14-2012 06:54 AM

Kerberos displays username in cleartext while logging to Active Directory, is it ok?
 
I'm working on a Linux integration project into Active Directory for our business organization. The Linux clients are RHEL 5/6 and the AD is running MS Windows 2008. Among multiple options, I'm ok with the Winbind/Kerberos option. I've set up the my lab environment and now the Linux systems can authenticate AD users. Before exporting the solution to the production environment, I wanted to have a look on the authentication traffic when I've noticed that every time a client initiates a authentication request to the AD, the username is transmitted in clear text within the Kerberos AS-REQ packet. Is it normal behavior of the Kerberos protocol or should I expect that the username be also encrypted?

acid_kewpie 11-14-2012 06:58 AM

Well, that's the standard in the Kerberos RFC.

(I would generally suggest that pure LDAP is a nicer simpler approach to Linux / AD integration than winbind etc., and over TLS the whole lot would always be included)

jpollard 12-03-2012 09:42 AM

It's part of the protocol. As I recall, the principle is also inside the encrypted portion, and the two must match or the AS-REQ is rejected.


All times are GMT -5. The time now is 03:40 AM.