[2053] in Kerberos
Re: Relationship between MIT's Kerberos 4 and the Kerberos in AFS 3
daemon@ATHENA.MIT.EDU (John Gardiner Myers)
Mon Jul 20 15:42:13 1992
Date: 20 Jul 92 10:54:12 GMT
From: jgm+@cmu.edu (John Gardiner Myers)
To: kerberos@shelby.Stanford.EDU
warlord@ATHENA.MIT.EDU (Derek Atkins) writes:
> The only difference I have seen between MIT Kerberos and AFS Kerberos
> is the string-to-key function. The string-to-key that you use to get
> a password must match the one used to create it. AFS kerberos folds
> in the realm-name into the key when making it from the string.
>
> However, once the initial ticket is obtained, the two look exactly
> the same, and work similarly, such that anything that works invisibly
> with MIT Kerberos should work with AFS Kerberos, and vice-versa.
This is pretty much correct--once you get an initial ticket, the two
implementations of Kerberos interoperate quite well.
There is one minor difference in that the AFS Kerberos implements
ticket lifetimes longer than MIT's limit of about 10 hours. This
doesn't seem to cause any real problems in practice, though servers
built against the MIT Kerberos will consider these long-lifetime
tickets as expired before they should.
There is a set of patches to the MIT Kerberos distribution to
implement long ticket lifetimes. These patches are available via
anonymous FTP to export.acs.cmu.edu, in pub/kerberos.lifetime.patch
--
_.John G. Myers Internet: jgm+@CMU.EDU
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
