[14545] in Kerberos
One way Cross-Realm Authentication
daemon@ATHENA.MIT.EDU (John Rudd)
Thu Jun 7 20:04:01 2001
Message-ID: <3B200C14.189C5401@cats.ucsc.edu>
Date: Thu, 07 Jun 2001 16:19:48 -0700
From: John Rudd <jrudd@cats.ucsc.edu>
To: kerberos@MIT.EDU
We're planning to impliment Win2k and MIT compatability via cross-realm
athentication here (for various reasons, one of whic is that the win2k
desktops are admin'ed by a different group than the MIT KDC's). Right
now we've set up two-way cross realm authentication, such that both
realms have tickets of the form:
krbtgt/THEM.UCSC.EDU@US.UCSC.EDU
krbtgt/US.UCSC.EDU@THEM.UCSC.EDU
I'm an "US.UCSC.EDU" admin, and we're the MIT KDC group who manages the
user accounts (students, staff, and faculty). "THEM.UCSC.EDU" is one of
the computer-lab groups that wants to have users from our realm be able
to simply walk in and be able to use their existing US.UCSC.EDU accounts
and passwords for the basic desktop login process. Right now we have
that working.
However, I have a concern about security in US.UCSC.EDU ...
specifically, I don't want THEM.UCSC.EDU principles to be valid on
US.UCSC.EDU machines. It's not that I don't trust this particular group
of admins (they're in our same department and we work closely with them
often), but down the road we may offer this as a wider service so that
any dept could do the same thing (each with their own locally
administrated realm). I'd rather not have my realm vulnerable to their
mistakes.
So, the goal is that machines attached to and administrated by any
random THEM.UCSC.EDU realm can have users authenticated against
US.UCSC.EDU, and not visa versa.
Can I accomplish that by deleting one of the above principles? If so,
which one? I'm guessing it'd be the first one, but I'm not sure.
--
John "kzin" Rudd http://www.domain.org/users/kzin
Truth decays into beauty, while beauty soon becomes merely charm. Charm
ends up as strangeness, and even that doesn't last. (Physics of Quarks)
-----===== Kein Mitleid Fu:r MicroSoft (www.kmfms.com) ======-----
