[1793] in Kerberos
Re: OSF/DCE Kerberos Questions
daemon@ATHENA.MIT.EDU (Joe Pato)
Tue Mar 3 11:54:23 1992
From: pato@apollo.hp.com (Joe Pato)
Date: Tue, 3 Mar 92 11:05:08 EST
To: seclark@iscnvx.lmsc.lockheed.com (Steve Clark)
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: seclark@iscnvx.lmsc.lockheed.com (Steve Clark), wed, 26 feb 92 16:53:18
I appreciate help from anyone regarding these questions:
Q1: Will OSF/DCE Kerberos authentication and authorization using ACLs
permit a user with client-name (principal-name) "USER_A" to access
a service using a local account-name of "USER_B" (access to accounts
with names that are different from the Kerberos client-name) ?
This depends on how the vendor integrates DCE with their operating system. For
most UNIX-flavor OSs, we expect that the DCE user registration database
replaces the local /etc/passwd file based account management. In this case the
principal name and the account name are one and the same.
Q2: Will DCE allow me to prevent a Kerberos client (principal) "USER_A"
from accessing a service with local account-name "USER_A" (there
may be accounts on different hosts that have the same name, but they may
belong to different individuals and a way to prevent authorization is
needed).
Again this depends on how the vendor choosed to deploy the system. For UNIX
based OSs, we include a local override capability that allows an administrator
to associate a local password with an account thereby preventing the "network"
user from accessing that account on that machine.
To some extent these questions are framed a bit strangely for the DCE - since
in the DCE we are providing a "true" distributed computing environment. Access
to resources is available from any node in the distributed environment.
Preventing "login" to a particular machine is really only preventing an
individual from accessing compute cycles on that machine via login. It will
not prevent network services on that machine from responding to remote
requests from that user. (Of course all services in the DCE export the DCE
authorization (ACL) model, so access can be limited, but I don't believe this
is what you had in mind).
Q3: Will "krb_kntoln" (/etc/aname feature) be supported by DCE
out-of-the-box, as a user-hook, or not at all?
The /etc/aname feature is not present in the DCE. In general, a DCE prinicpal
name is the same as the local account name. The DCE Security Component API
provides operations to obtain account information from a principal name. As
stated elsewhere, the DCE Security Component implements the Kerberos V5
specification - not the API. This feature is not specified in the spec, and is
not supported in the DCE.
Q4: Are .klogin files supported by DCE Kerberos?
No.
-- Joe Pato
Cooperative Object Computing Division / East
Hewlett-Packard Company
pato@apollo.hp.com
-------
