[1712] in Kerberos
protocol question
daemon@ATHENA.MIT.EDU (marantz@cs.rutgers.edu)
Thu Jan 16 11:38:43 1992
Date: Thu, 16 Jan 92 11:08:18 EST
From: marantz@cs.rutgers.edu
To: kerberos@Athena.MIT.EDU
Cc: marantz@cs.rutgers.edu
As part of our migrating to kerberos (version 5) I'm hacking pwdauthd
(on some Suns) to validate a password lookup using kerberos (not
passwd.adjunct). Pwdauthd has the persons login name and cleartext of
the password.
As I understand it, pwdauthd should get a Ticket Granting Ticket [TGT]
for the person (from the Authentication Service[AS]) and then try to
use it on a local service (say talking to rcmd or maybe itself). This
would mean getting a ticket for that server and having that server
validate the ticket. To me this sounds like it will be slow. This
way will need 2 exchanges with kerberos (to the AS and the
Ticket-Granting Service [TGS]) and one exchange with the local server.
I was hoping to have pwdauthd talk to the TGS using the pwdauthd
ticket and ask for a TGT for the user by supplying the user's
password. I think this could be used to replace the whole procedure
mentioned above.
Does anyone have an comments on this protocol? Does anyone know if
the current code would handle this or would I need to write another
"server" akin to AS or TGS?
Also is anyone discussing admin protocol for version 5?
Roy
