LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-14-2012, 06:54 AM   #1
patmut
LQ Newbie
 
Registered: Jun 2011
Posts: 8

Rep: Reputation: Disabled
Question Kerberos displays username in cleartext while logging to Active Directory, is it ok?


I'm working on a Linux integration project into Active Directory for our business organization. The Linux clients are RHEL 5/6 and the AD is running MS Windows 2008. Among multiple options, I'm ok with the Winbind/Kerberos option. I've set up the my lab environment and now the Linux systems can authenticate AD users. Before exporting the solution to the production environment, I wanted to have a look on the authentication traffic when I've noticed that every time a client initiates a authentication request to the AD, the username is transmitted in clear text within the Kerberos AS-REQ packet. Is it normal behavior of the Kerberos protocol or should I expect that the username be also encrypted?

Last edited by patmut; 11-14-2012 at 06:55 AM.
 
Old 11-14-2012, 06:58 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,397

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Well, that's the standard in the Kerberos RFC.

(I would generally suggest that pure LDAP is a nicer simpler approach to Linux / AD integration than winbind etc., and over TLS the whole lot would always be included)
 
Old 12-03-2012, 09:42 AM   #3
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,194

Rep: Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567
It's part of the protocol. As I recall, the principle is also inside the encrypted portion, and the two must match or the AS-REQ is rejected.
 
  


Reply

Tags
active directory, authentication, encryption, kerberos


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos and Active Directory Integration jonofmac Red Hat 4 07-19-2012 11:16 PM
Username & Password Sync Fedora Directory and Microsoft Active Directory karnac01 Fedora 4 07-19-2010 12:51 AM
Kerberos -> Active Directory Authentication Ogrius Red Hat 0 04-05-2006 02:26 PM
Active Directory Kerberos macusr Linux - Networking 5 03-24-2006 03:36 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 09:56 PM


All times are GMT -5. The time now is 04:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration