[1460] in Kerberos
login modification
daemon@ATHENA.MIT.EDU (Steve Lunt)
Tue Jul 23 11:05:32 1991
Date: Tue, 23 Jul 91 10:24:53 EDT
From: Steve Lunt <lunt@ctt.bellcore.com>
To: kerberos@ATHENA.MIT.EDU
I have an idea for a slight modification to the Kerberos login
program. I'd like to know what people think (either re-post to newsgroup or
mail to me directly).
The modification allows users to type "username@realm" to the login
prompt, rather than just "username". If the local user "username" has
"username@realm" in their .klogin file, then the password would be validated in
the specified realm, and access would be based on successful decryption of the
Kerberos TGT response.
If you want to add the check which many have suggested of ensuring that
the response is coming from the real Kerberos (generally, this is done by
having the login program use the TGT to get a ticket for "rcmd@localrealm"),
then you could take the fetched TGT from the foreign realm, and use it to get a
TGT for the local realm, and use that to get a ticket for "rcmd@localrealm".
If this is not successful, the user is rejected.
I'm trying to get a scheme that will accommodate the following
scenario. I have an account and password on the systems in my realm (realm
A). The administrator for a system in another realm (realm B) wants to give me
an account on his machine without having to worry about setting up a password.
He can do this now without the above mod by giving me a .klogin with
"user@realmA" in it. He doesn't need to add me to his Kerberos database (for
realm B). Now I can rlogin to his host fine. However, I cannot log in
directly via login or telnet. But it seems like I should; hence the above
suggestion.
The only problem is that the usernames have to be the same. An
improvement would be that the user could also type "l_user r_user@r_realm" to
the login prompt if the usernames aren't the same.
-- Steve
Steven J. Lunt | lunt@ctt.bellcore.com | RRC 1L-213
Computer Security Technology |-------------------------| 444 Hoes Lane
Bellcore | (908) 699-4244 | Piscataway, NJ 08854
