[2063] in Kerberos
MacX and kerberos...
daemon@ATHENA.MIT.EDU (Everette Allen)
Thu Jul 30 11:23:19 1992
Date: 30 Jul 92 14:23:15 GMT
From: everette@ncsuvm.cc.ncsu.edu (Everette Allen)
To: kerberos@shelby.Stanford.EDU
I need some help understanding the mechanics of the kerberos protocol as it
relates to the MacX Xwindows server. As I understand it MacX is not able to
querry Xdm as some other servers do. Instead, MacX users rsh to execute
individual commands. So I can fire up MacX and issue a:
/usr/local/X11/xterm -display "(display" and I will get an xterm alone which
lives and plays with my other mac windows. Enter Kerberos... on our system
rsh is not kerberized so I get "login incorrect" because, I think, the rsh
is not looking in the Hesiod database to verify my password. Is this correct?
If so where is the ftp archive for kerberized rshd (and ftpd, telnetd etc for
that matter) ?? Now the security issue. IF I understand, any time that a
Xserver passes a password *not a ticket* over the net it is insecure from a
standpoint of kerberos. Is this true? I have seen a kerberos init for the
Mac which is used with Nuntius (a mail reader which speaks to the kerberized
popd) and actually passes tickets like the mac was a kerberized unix box.
Does anyone know if this is correct information?? I would like to be able to
use MacX to allow me to login to machines in a kerberized realm just like I
was a hardwired Xstation (all the memory but no brains :-). I am really not
concerned that the password is clear text but if this could arranged...:-).
What are the real issues here?? Can Mac and PC Xservers coexsist with
kerberos in a fairly secure way (secure = clear text to clients on a *local*
net. like down the hall to the closet :-) ?? My whole goal is to use MacX to
login to a kerberized realm and get the twm or mwm or vue stuff in a rooted
window or what ever I want. Telneting line mode and pointing the xdm or
what ever back to my mac is unacceptable (all the same security issues with
none of the ease :). Any help that I can get would be great. EVerette
