[1898] in Kerberos
Re: kerberos is working
daemon@ATHENA.MIT.EDU (John Gardiner Myers)
Fri May 8 16:44:58 1992
Date: Fri, 8 May 1992 16:05:22 -0400 (EDT)
From: John Gardiner Myers <jgm+@cmu.edu>
To: kerberos@Athena.MIT.EDU
In-Reply-To: <9205081543.AA16384@tsx-11.MIT.EDU>
tytso@ATHENA.MIT.EDU (Theodore Ts'o) writes:
> (In fact, in V4, you can't automatically forward tickets for
> security reasons. In V5, it's a site security policy option whether or
> not you can have this convenience at the cost of making it a little
> easier for an attacker to steal your tickets.)
To be more precise, with MIT's implementation of the V4 server, you
cannot forward tickets. Other implementations of a Kerberos server
(notably Transarc's) do not check the IP address stored in the ticket.
One could say that it is a site security policy option in V4, but
changing the setting of the option requires hacking the source code of
your Kerberos server.
I have devised a modified kerberized rsh that does pass the
ticket-granting ticket to the remote host, encrypted in the session
key. We've been starting to use it at our site and it's quite useful.
--
_.John G. Myers Internet: John.G.Myers@andrew.cmu.edu
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
