[2604] in Kerberos
Re: Kerberos 5 & login
daemon@ATHENA.MIT.EDU (Ganesan)
Thu Feb 25 18:39:49 1993
From: bf4grjc@socrates.MIT.EDU (Ganesan)
To: lunt@ctt.bellcore.com (Steve Lunt)
Date: Thu, 25 Feb 1993 18:22:48 -0500 (EST)
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: <9302251845.AA15927@shadow.secure.bellcore.com> from "Steve Lunt" at Feb 25, 93 01:45:12 pm
Reply-To: bf4grjc@bell-atl.com
Steve,
>
> Agreed that most vendors will likely do it wrong and only do
> Step 1. But I think a standard API is needed (rather than a special
> protocol extension) to accomplish this. This way, with a simple
> call, the vendors have no excuse to side step the issue (pun intended).
>
You probably can get vendors to tango with your API solution, But before
I let you waltz away with your idea, I want to point out two things:
a) Without a protocol addition(please dont use the word change!), you have
to live with Cliff's two step minuet, whereas it MAY be preferable
to treat login as a distinguished process. Observe, it is the ONLY
process which ever gets to see the user's private-shared-with-KDC
key, which makes it special. Further, using Kerberos authentication
across, what you already assume to be a trusted environment (in the
sense that you are assuming the intruder cannot spoof a connection
between two processes on the same workstation), is frankly NOT
graceful.
b) But lets damm grace! I think we agree there is a NEED for SOME
solution. Now you could put requriements for your API in the Bellcore
requirements which you posted on the group a while back, get a solution
from your preffered vendor, and that would solve our problem.
But it would be preferable if the kerberos community can rally
around a standard (or a standard for the reference implementation),
and then we get that implemented at Bellcore/Bell-Atlantic and
added as an option to the MIT distribution.
Happy dancing!
Ravi
--
*******************************************************************************
Ravi Ganesan e-mail: ravi@socrates.bell-atl.com
IS SAS Corporate Network Planning v-mail: (301) 595-8439
Bell Atlantic Fax: (301) 595-1341
Note: If your e-mail reply to me bounces, try sending it explicitly to
ravi@socrates.bell-atl.com instead of using the 'reply' feature.
******************************************************************************
