Re: Kerberos login on VMS
From: Robert A.M. van Lopik (lopik_at_mail.telepac.pt)
Date: 01/24/04
- Next message: Robert A.M. van Lopik: "Re: OpenVMS and Railways"
- Previous message: Fabio Cardoso: "OT: OpenVMS and Railways"
- In reply to: david20_at_alpha2.mdx.ac.uk: "Re: Kerberos login on VMS"
- Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: Kerberos login on VMS"
- Reply: david20_at_alpha2.mdx.ac.uk: "Re: Kerberos login on VMS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 24 Jan 2004 22:19:47 -0000
<david20@alpha2.mdx.ac.uk> wrote in message
news:burmh3$feh$1@news.mdx.ac.uk...
> In article <H_bQb.12903$G86.3793@news.cpqcorp.net>, "Rick Barry"
<richard.barry@hp.com> writes:
> >If you're talking about the external authentication feature provided by
> >PATHWORKS for logging into the system, that's still using NTLM.
> >
>
> OK.
>
> So it looks like we currently have no secure single password systems from
HP
> working with VMS and other OSs. Even Microsoft advise against using NTLM
unless
> you are forced to by older systems.
[ snip ]
The fact that MS has chosen Kerberos as the preferred mechanism is based on
scalability; NTLM just carries more overhead than Kerberos in large
networks.
NTLM in itself suffers from some weak encryption. With modern switched LANs
this is less of a problem, because you can't eavesdrop on them. Even then it
is good to know that NTLM actually comprises two mechanisms, the older
Lanmanager protocol and a newer NT protocol. For compatibility reasons by
default both mechanisms are used in an interchange. The LANmanager part has
weak encription, exacerbated by the fact that it truncates the password to
six characters and forces it to uppercase, which makes a brute force attack
quite easy. However, with some registry settings on both clients and
servers, you can suppress the Lanmanager part. Of course older Windows
versions, like w95, can't participate in such a network. When somebody is
interested I could find the references.
What I don't know (and maybe Rick Barry can tell us), is whether pathworks
also supports the suppression of the old Lanmanager encryption.
All of this written under the IIRC proviso, as it is some years ago that I
looked into this.
regards
rob van lopik
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.563 / Virus Database: 355 - Release Date: 19-1-2004
- Next message: Robert A.M. van Lopik: "Re: OpenVMS and Railways"
- Previous message: Fabio Cardoso: "OT: OpenVMS and Railways"
- In reply to: david20_at_alpha2.mdx.ac.uk: "Re: Kerberos login on VMS"
- Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: Kerberos login on VMS"
- Reply: david20_at_alpha2.mdx.ac.uk: "Re: Kerberos login on VMS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
