Hi,
just wanted to pick up the Kerberos thread dropped by SEP.
Afaik, a kerberized FTP application will not encrypt the FTP data stream travelling over the net.
Kerberos is "only" good for achieving single-sign-on by authenticating and authorizing users who access kerberized applications (such as FTP).
Actually in a Kerberos environment there will never be any passwords exchanged.
Inspite a Key Distribution Center (KDC) is sending a Ticket Granting Ticket (TGT) to a user when he first tries to authenticate to an application.
The TGT is encrypted with the user's password which is stored centrally in a list on the KDC.
For the KDC the user is authenticated as soon as he can decrypt the TGT.
After that the user requests tickets for each kerberized application he wishes to use throuh the TGT.
It is important to note that there are no passwords clear text or encrypted but only tickets exchanged.
These tickets usually expire after a set time.
Thus an attacker even if he could manage to get hold of a valid ticket could in theory only compromise a single session for a limited time.
The greatest threat is that the KDC ever gets compromised.
To read more about the MIT's implementation of the protocol see
http://web.mit.edu/kerberos/www/ There must be also ample documentation on how to kerberize HP-UX applications from here:
http://docs.hp.com/en/internet.html#Kerberos But I think a much easier and less involved approach would be to use SSH's sftp
as already suggested by others.
Madness, thy name is system administration
