[2603] in Kerberos
Re: Kerberos 5 & login
daemon@ATHENA.MIT.EDU (Kurt J. Lidl)
Thu Feb 25 17:54:15 1993
From: lidl@uunet.uu.net (Kurt J. Lidl)
To: bcn@ISI.EDU (Clifford Neuman)
Date: Thu, 25 Feb 1993 17:32:12 -0500 (EST)
Cc: bf4grjc@bell-atl.com, tytso@Athena.MIT.EDU, kerberos@Athena.MIT.EDU
In-Reply-To: <9302251634.AA10034@tgo.isi.edu> from "Clifford Neuman" at Feb 25, 93 08:34:05 am
>From: Clifford Neuman <bcn@ISI.EDU>
>Date: Thu, 25 Feb 93 08:34:05 PST
>
> From: bf4grjc@socrates.MIT.EDU (Ganesan)
> Date: Thu, 25 Feb 1993 11:12:54 -0500 (EST)
>
> Realizing that Kerberos was NOT intended for initial login/xdm
> authentication, it is still true, that in MANY environments, the
> overhead of maintaining both /etc/passwd (or whatever for non-UNIX
> systems) AND a Kerebros database is completely impractical, and
> Kerberos WILL end up getting used for login/xdm.
>
> Given above, why cannot there be an OPTION ADDED (not change) to
> the protocol such that the initial TGT is sent to the login/xdm
> programs "additionaly" encrypted with a service key known only to
> the KDC and the login/program.
>
>I do not know if your comments is related to the message to which it
>is a followup. However, it is important to distinguish between the
>protocol, and the software that implements it. The Kerberos protocol
>as it stands is quite capable of supporting initial login. In
>particular, you use the password entered by the user to decrypt
>initial credentials, and you then use those credentials to obtain
>subsequent credentials for logging into the local machine. Only one
>password needs to be entered by the user, and only one password/key
>database need be maintained (that for Kerberos). No protocol changes
>are required.
Cliff,
I believe what the author (Ganesan) was refering to is the particular
way that XDM works, at least on Xterminals. In this case, you have
an Xserver running on some networked device, and the actual program
that will do the Kerberos authentication running on some CPU-server
machine. Anything you type will go over the network in the clear
from the Xterminal to the CPU server, before the authentication takes
place.
I believe what he was asking for is outside of the realm (pardon the
pun) of Kerberos proper, and is more an implementation issue with
how he wishes to setup a secure channel over which to do the authentication
of the user.
IE, we have:
Xterminal <---- clear text ----> CPU-machine <--- Kerb. Auth ---> KDC
I think he wants:
Xterminal <- some encrypted channel -> CPU-machine <--- Kerb Auth ---> KDC
-Kurt
