[1779] in Kerberos
Re: MIT vs. OSF/DCE Kerberos Differences
daemon@ATHENA.MIT.EDU (Joe Pato)
Wed Feb 26 19:58:58 1992
From: pato@apollo.hp.com (Joe Pato)
Date: Wed, 26 Feb 92 18:23:11 EST
To: dean@ksr.com (Dean Anderso)
Cc: pato@apollo.hp.com (Joe Pato), kerberos@Athena.MIT.EDU
In-Reply-To: dean@ksr.com (Dean Anderso), wed, 26 feb 92 17:29:46
Can I replace the DCE kerberos server with another server provided by
another vendor?
No, but read on.
For example:
Suppose I buy a third party authentication product, which provides a
kerberos server which uses their authentication keys instead of
passwords for authentication? (Suppose the authentication keys
change according to a secret algorithm, and so a special kerberos
server is needed which knows the secret algorithm)
Suppose further that I plan to buy DCE from my hardware vendor and I
don't have a DCE source licence, or a source licence for the third
party authentication product (Suppose the secret algorithm is very
proprietary).
Can I use the third party V5 protocol server in place of the DCE
kerberos server supplied by my vendor? Will the DCE still work with
an unmodified V5 protocol server?
Unless the third party V5 server has been extended to support the additional
features of the DCE, the DCE will not run. We have designed the DCE protocols
to allow for independent implementations of the KDC and the other security
servers, but we have no implementations of the system partitioned in this way.
A "Yes" is very important. A "No" will force one to choose between
security and DCE. As you might guess, I have something specific in
mind; this is exactly the situation one finds oneself in with the
Security Dynamics SecurID cards.
The hooks are in place to support smart-cards for authentication. The Security
Dynamics cards are more difficult since their algorithm is proprietary - but
they have presented their technology to the OSF security SIG and they may be
considering ways to plug into a DCE environment.
If not, shouldn't there be separate port numbers for OSF/DCE protocol
(and clients) and MIT protocol (and clients)? The DCE protocol
clients presumably would do DCE authentication (dfs) and the MIT
clients would do things like klogin, etc.
Communication to the OSF/DCE kerberos server primarily uses RPC - but the
server does also listen to the official port. It does so since it implements
the V5 protocol as spec'd. It sounds to me like you are trying to setup two
independent realms. One that is purely derived from the MIT code and another
that is the DCE.
-- Joe Pato
Cooperative Object Computing Division / East
Hewlett-Packard Company
pato@apollo.hp.com
-------
