[1329] in Kerberos
Re: setup of kerberos
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Sat Apr 6 18:05:13 1991
Date: Sat, 6 Apr 91 16:39:57 -0500
From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
To: massey@kpc.com
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Todd Massey's message of 5 Apr 91 20:04:58 GMT,
Reply-To: tytso@ATHENA.MIT.EDU
Date: 5 Apr 91 20:04:58 GMT
From: massey@kpc.com (Todd Massey)
I cannot figure out how to get the setup correct so that
kerberos stops giving me
Warning: No Kerberos tickets obtained.
when i rlogin.
You always get those messages; what rlogind is warning you about is the
fact that if you have Kerberos tickets on host A, and use them to rlogn
to host B from host A, you will _not_ automatically get Kerberos tickets
on host B. The reason behind this is of security. Kerberos tickets are
only good on one host, so that if someone steals your tickets, they can
only use them to compromise you on the host they originally came from.
Therefore, when you login to a new host, your Kerberos credentials do
not automatically follow you. In order to get tickets on host B, you
will either need to kinit after you rlogin (which has the drawback that
your password goes accross the network in the clear), or you need to use
a client called rkinit before you use rlogin. rkinit securely obtains
and transports over to host B tickets which can be used for host B.
Both using kinit and rkinit require that you type your password over
again, but that's the price you pay for security.
In Kerberos Version 5, "forwardable" tickets can be created (although
the KDC can be compiled to disallow them, depending on the site
policies) which allow you to forward tickets from Host A to Host B
without needing to type your password over again. Of course, this opens
up a minor security hole, but some users demand convenience at any
cost....
- Ted
