[11] in Kerberos
rlogin, klogin, etc
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:14:49 1987
From BCN%DEEP-THOUGHT@EDDIE.MIT.EDU Wed Jun 18 16:16:27 1986
From: Clifford Neuman <BCN%DEEP-THOUGHT@EDDIE.MIT.EDU>
Subject: rlogin, klogin, etc
To: kerberos@ATHENA.MIT.EDU
Maybe it is time to make a clean break from the existing Unix programs
and thus avoid complicating this too far. I would not be against
creating our own klogin to replace rlogin. klogin would not need to
deal with host.equiv file, etc. I would, however, like to see a
.khosts file which allows users to specify what user, when
authenticated by kerberos, can use their account. This is an
authorization problem, and not an authentication one.
If we do take this route, the new protocol should contain version
number as Steve suggested. I would also suggest that things be
changed to pas the entire environment across, instead of just the
terminal type.
As to the key issue, I see no problem with grouping all the services
which run as root on a machine together, and using a single key for
them all. Of course, all the clients of these servers will have to
know which key they need. This isn't really a problem, as long as you
do it from the start. rsh, rexec, rcp, and rlogin should clearly use
the same key.
I think that individual hosts should have different keys, though.
Since the name of the server will contain the hostname (by
convention), using a key based on the cluster the server is in would
require the client to be able to figure out which cluster a server is
in. One could use the same text for the key in each case, but this
doesn't buy anything.
I will change antoln to an_to_ln as per Jerry's suggestion. I will
also rename vxlogin. The question is, to what, if we use the name
klogin for the new rlogin, then we can't use it for this. Vxlogin (or
it's new name) isn't in the long term plan, though, since it's
function will be performed by the normal login program.
~ Cliff
-------
