[1775] in Kerberos
Re: MIT vs. OSF/DCE Kerberos Differences
daemon@ATHENA.MIT.EDU (Dean Anderson)
Wed Feb 26 18:14:27 1992
Date: Wed, 26 Feb 92 17:29:46 EST
From: dean@ksr.com (Dean Anderson)
To: pato@apollo.hp.com (Joe Pato)
Cc: kerberos@Athena.MIT.EDU
Can I replace the DCE kerberos server with another server provided by
another vendor?
For example:
Suppose I buy a third party authentication product, which provides a
kerberos server which uses their authentication keys instead of
passwords for authentication? (Suppose the authentication keys
change according to a secret algorithm, and so a special kerberos
server is needed which knows the secret algorithm)
Suppose further that I plan to buy DCE from my hardware vendor and I
don't have a DCE source licence, or a source licence for the third
party authentication product (Suppose the secret algorithm is very
proprietary).
Can I use the third party V5 protocol server in place of the DCE
kerberos server supplied by my vendor? Will the DCE still work with
an unmodified V5 protocol server?
A "Yes" is very important. A "No" will force one to choose between
security and DCE. As you might guess, I have something specific in
mind; this is exactly the situation one finds oneself in with the
Security Dynamics SecurID cards.
If not, shouldn't there be separate port numbers for OSF/DCE protocol
(and clients) and MIT protocol (and clients)? The DCE protocol
clients presumably would do DCE authentication (dfs) and the MIT
clients would do things like klogin, etc.
Thanks,
Dean Anderson
KSR Computing Facilities
