[2529] in SIPB-AFS-requests
Re: fun with pts
daemon@ATHENA.MIT.EDU (Derek Atkins)
Mon Oct 28 10:17:52 1996
Date: Mon, 28 Oct 1996 10:14:03 -0500
From: Derek Atkins <warlord@MIT.EDU>
To: mhpower@MIT.EDU
Cc: marc@MIT.EDU, sipb-afsreq@MIT.EDU
In-Reply-To: "[2528] in SIPB-AFS-requests"
The problem with system:authuser is that it requires a system
administrator to add users to the pts database. Using the group that
marc created, system:authuser@athena.mit.edu, allows *ANY* athena user
to add themselves to the database without system:admin intervention.
The benefit is that we can put things like crypto lockers or other
MIT-only licensed software in the SIPB Cell and explain to people how
to access it.
Personally, I think the fact that "moira@athena.mit.edu" could get an
account isn't that big a security hole. I would consider
"register@athena.mit.edu" a bigger hole, but I still don't consider it
a big problem.
Things I would use this for:
PGP
RSAREF
CryptLib
Java (SGI java is MIT-only)
XFree86
Linux-AFS testing
(Others?)
The software involved here doesn't need to be put into a wrapper. I
won't discuss whether or not a wrapper is an "abomination". However,
in these cases simple security is good enough, and only people who
actually know the password to a kerberos principal in the Athena
Kerberos Realm can authenticate.
The only question I have, Marc, is how does aklog know whether to get
you tokens for "marc@athena.mit.edu" or "marc"? Does it depend on
whether you supply the -k option?
-derek