LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-14-2012, 07:54 AM   #1
patmut
LQ Newbie
 
Registered: Jun 2011
Posts: 8

Rep: Reputation: Disabled
Question Kerberos displays username in cleartext while logging to Active Directory, is it ok?


I'm working on a Linux integration project into Active Directory for our business organization. The Linux clients are RHEL 5/6 and the AD is running MS Windows 2008. Among multiple options, I'm ok with the Winbind/Kerberos option. I've set up the my lab environment and now the Linux systems can authenticate AD users. Before exporting the solution to the production environment, I wanted to have a look on the authentication traffic when I've noticed that every time a client initiates a authentication request to the AD, the username is transmitted in clear text within the Kerberos AS-REQ packet. Is it normal behavior of the Kerberos protocol or should I expect that the username be also encrypted?

Last edited by patmut; 11-14-2012 at 07:55 AM.
 
Old 11-14-2012, 07:58 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Well, that's the standard in the Kerberos RFC.

(I would generally suggest that pure LDAP is a nicer simpler approach to Linux / AD integration than winbind etc., and over TLS the whole lot would always be included)
 
Old 12-03-2012, 10:42 AM   #3
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,336

Rep: Reputation: 594Reputation: 594Reputation: 594Reputation: 594Reputation: 594Reputation: 594
It's part of the protocol. As I recall, the principle is also inside the encrypted portion, and the two must match or the AS-REQ is rejected.
 
  


Reply

Tags
active directory, authentication, encryption, kerberos


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos and Active Directory Integration jonofmac Red Hat 4 07-20-2012 12:16 AM
Username & Password Sync Fedora Directory and Microsoft Active Directory karnac01 Fedora 4 07-19-2010 01:51 AM
Kerberos -> Active Directory Authentication Ogrius Red Hat 0 04-05-2006 03:26 PM
Active Directory Kerberos macusr Linux - Networking 5 03-24-2006 04:36 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 10:56 PM


All times are GMT -5. The time now is 10:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration