[24] in Kerberos
Re: Integration with old protocols
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:16:20 1987
From bcn@ATHENA.MIT.EDU Fri Jul 25 09:42:43 1986
From: Clifford Neuman <bcn@ATHENA.MIT.EDU>
Date: Fri, 25 Jul 86 09:40:37 EDT
To: Saltzer
Subject: Re: Integration with old protocols
Cc: kerberos
Your proposal for integrating Kerberos with existing protocols looks
pretty good. It is sort of the "next step" towards a library that would
provide automatically authenticated TCP and UDP functionality.
I see some problems with using the "Ksetup" (Yeah, we need a new name)
approach. As defined, it would be easier for an active attacker to
impersonate someone else. But then again, even the current rlogin, rsh,
rcp integration allow such an attack since authentication is only
applied at the beginning of the connection. The details of the Ksetup
server and the library routines to access authentication information
using it are not completely specified, and it may be possible to come up
with an approach that is no less secure.
I am willing to work with someone designing the server, and defining a
new procedure for the Kerberos library to come retrieve information from
the server. I have other priorities, though (ticket granting tickets,
and getting Kerberos to run on the RT), so someone else will have to do
the actual coding.
~ Cliff
