[5] in Kerberos
Re: Kerberos support for remote Serv
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:12:15 1987
From BCN%DEEP-THOUGHT@EDDIE.MIT.EDU Mon Jun 9 08:10:02 1986
From: Clifford Neuman <BCN%DEEP-THOUGHT@EDDIE.MIT.EDU>
Subject: re: Kerberos Support for Remote Services, Project Description (long)
To: Saltzer@ATHENA.MIT.EDU
Cc: mtc@ATHENA.MIT.EDU, geer@ATHENA.MIT.EDU, spm@ATHENA.MIT.EDU,
charlie@ATHENA.MIT.EDU, noah@ATHENA.MIT.EDU, jis@ATHENA.MIT.EDU
In-Reply-To: <8606090447.AA16708@HERACLES>
I will respond to the non-aplication specific questions. Vxlogin is
the program used to get one's initial tickets. It is the piece of
kerberos that will be merged into the login program.
Each server that allows kerberos mediated rlogin has a separate key
(conceptually). In practice, you could use the same keys, but the
tradeoff is that compromising the security of one system would then
give you the key for the other if only one key is used.
The server gets it's key from the file /etc/srvtab (which is protected
using Unix's file protection mechanism.
A ticket for a client is only good to rlogin to a single host. If a
client needs to rlogin to a different host he has to get a new ticket.
This is (or will be) transparent to both the user and the application
since the kerberos library routine to create an authenticator will get
the new ticket from kerberos using its ticket granting ticket.
The unix user ID of a user does not appear in the ticket. Instead,
the routine antoln (authentication name to local name) is called by
the server to convert the name obtained from the ticket into a local
username. At the moment, the routine just returns the initial part of
the authentication name, but the routine is used so that an arbitrary
mapping can take place once it is finally implemented.
~ Cliff
-------
