[2529] in SIPB-AFS-requests

home help back first fref pref prev next nref lref last post

Re: fun with pts

daemon@ATHENA.MIT.EDU (Derek Atkins)
Mon Oct 28 10:17:52 1996

Date: Mon, 28 Oct 1996 10:14:03 -0500
From: Derek Atkins <warlord@MIT.EDU>
To: mhpower@MIT.EDU
Cc: marc@MIT.EDU, sipb-afsreq@MIT.EDU
In-Reply-To: "[2528] in SIPB-AFS-requests"

The problem with system:authuser is that it requires a system
administrator to add users to the pts database.  Using the group that
marc created, system:authuser@athena.mit.edu, allows *ANY* athena user
to add themselves to the database without system:admin intervention.

The benefit is that we can put things like crypto lockers or other
MIT-only licensed software in the SIPB Cell and explain to people how
to access it.

Personally, I think the fact that "moira@athena.mit.edu" could get an
account isn't that big a security hole.  I would consider
"register@athena.mit.edu" a bigger hole, but I still don't consider it
a big problem.

Things I would use this for:
	PGP
	RSAREF
	CryptLib
	Java (SGI java is MIT-only)
	XFree86
	Linux-AFS testing	
	(Others?)

The software involved here doesn't need to be put into a wrapper.  I
won't discuss whether or not a wrapper is an "abomination".  However,
in these cases simple security is good enough, and only people who
actually know the password to a kerberos principal in the Athena
Kerberos Realm can authenticate.

The only question I have, Marc, is how does aklog know whether to get
you tokens for "marc@athena.mit.edu" or "marc"?  Does it depend on
whether you supply the -k option?

-derek

home help back first fref pref prev next nref lref last post