[1284] in Kerberos
Re: srvtab on client machines
daemon@ATHENA.MIT.EDU (smb@ulysses.att.com)
Mon Mar 4 23:09:47 1991
From: smb@ulysses.att.com
To: Galina@IBM.COM
Cc: kerberos@ATHENA.MIT.EDU
Date: Mon, 04 Mar 91 20:55:15 EST
Sorry for the previous append. Ted, do you mean that each
user has to come do the database administrator and send srvtab
file to her/his machine? Or does database administraotr has
to come to each user's machine to decrypt srvtab?
Thank you.
Galina..
I think we have a misunderstanding here.
In the environment for which Kerberos was designed, that's a
non-issue. In general, workstations neither have nor need srvtab
files, because they do not provide any services to the user community.
In effect, they are very smart terminals (or interaction servers, if
you prefer), with a substantial amount of computing power. A person
sitting at such a workstation may want to access files that are stored
remotely; for this, that person must somehow present credentials. But
the workstation itself has no per-user files; it simply has the
skeleton of a system on its local disk. And that local disk is, for
all practical purposes, read-only. (For implementation reasons, it
probably is not physically read-only.) When I visualize the Kerberos
model, I tend to think of a large room filled with keypunches. (Yes, I
know; my age is showing....) You, as a user, might prefer one keypunch
over another. (Back when I used such things, I kept track of which
keypunches had all of their starwheels intact.) But the ultimate host
neither knew nor cared which one I used. Nor did I ever try to access
the keypunch's drum card from the host.
It's the same with Kerberos, at least as deployed at MIT. Not only is
there no need to request services of a workstation, in general one
cannot -- remote access is turned off. Thus, there are no services for
which access is mediated by /etc/srvtab.
The same reasoning explains why using /tmp for cached credentials is
not as serious as it might appear at first glance: no one else has
access to live tickets and their associated session keys. To be sure,
I'd still prefer a different mechanism, but Kerberos workstations -- in
their original environment -- minimize the exposure.
There are, I believe, some private workstations at MIT. These may, if
the owners wish, have network services. And there are certainly
workstations on the martket whose computing abilities far exceed that
of an overloaded central server; I can easily see why the owner of such
a beast would want the ability to log in remotely. But if you want the
privileges of a host, you have to accept the responsibilities: secure
administration of /etc/srvtab files. (Note, too, that you have to deal
with the database administrator anyway, so that entries for each
service can be added to the Kerberos database.)
It may be that your particular environment differs from MIT's. To the
extent that it does differ, Kerberos may not be as good a fit. There
are a number of issues; the maintenance of /etc/srvtab is only one of
them. At the risk of repeating myself redundantly, a number of such
issues are brought up in the Bellovin & Merritt Usenix paper; if you
can't ftp it from research.att.com, I'll be happy to mail you a copy.
--Steve Bellovin
