[1986] in Kerberos
Re: kerberos
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Mon Jun 22 19:17:33 1992
Date: Mon, 22 Jun 92 18:51:55 -0400
From: tytso@Athena.MIT.EDU (Theodore Ts'o)
To: Daniele Paganetti <paganett@iss.isei.jrc.it>
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: Daniele Paganetti's message of Mon, 22 Jun 92 16:52:52 +0200,
Reply-To: tytso@Athena.MIT.EDU
From: Daniele Paganetti <paganett@iss.isei.jrc.it>
Date: Mon, 22 Jun 92 16:52:52 +0200
Is it true that to use Kerberos all the network's services need to be
"kerberised"?
It depends on what you mean.
It is true that in order to make a particular network service use
Kerberos, you will need to change the source code and recompile both the
client and the server program(s). However, it is not true that you have
to "Kerberize" all network services at the same time.
In many cases, adding Kerberos is relatively simple; you merely have to
add a subroutine call or two to both the client and the server to do the
authentication exchange. For most basic authentication needs, the
function calls krb_sendauth() and krb_recvauth() will be more than
sufficient for most networked applications.
However, if you want your networked application to do something fancy
with the returned authenticated principal from Kerberos --- like check
some sort of fancy access control system, for your authorization, your
program may become more complicated, depending on your design specs.
- Ted
