[2599] in Kerberos
Re: Kerberos 5 & login
daemon@ATHENA.MIT.EDU (Ganesan)
Thu Feb 25 16:39:31 1993
From: bf4grjc@socrates.MIT.EDU (Ganesan)
To: tytso@Athena.MIT.EDU (Theodore Ts'o)
Date: Thu, 25 Feb 1993 11:12:54 -0500 (EST)
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: <9302250226.AA23975@SOS> from "Theodore Ts'o" at Feb 24, 93 09:26:08 pm
Reply-To: bf4grjc@bell-atl.com
Ted,
While on the subject of login......
Realizing that Kerberos was NOT intended for initial login/xdm authentication,
it is still true, that in MANY environments, the overhead of maintaining
both /etc/passwd (or whatever for non-UNIX systems) AND a Kerebros database
is completely impractical, and Kerberos WILL end up getting used for
login/xdm.
Given above, why cannot there be an OPTION ADDED (not change) to the protocol
such that the initial TGT is sent to the login/xdm programs "additionaly"
encrypted with a service key known only to the KDC and the login/program.
I believe this was discussed before and there were some other proposals. Why
cant any ONE of these proposals be made part of the standard as an OPTION
(not change).
Ravi
--
*******************************************************************************
Ravi Ganesan e-mail: ravi@socrates.bell-atl.com
IS SAS Corporate Network Planning v-mail: (301) 595-8439
Bell Atlantic Fax: (301) 595-1341
Note: If your e-mail reply to me bounces, try sending it explicitly to
ravi@socrates.bell-atl.com instead of using the 'reply' feature.
******************************************************************************
