[2911] in Kerberos
Kerberos admin/realms questions
daemon@ATHENA.MIT.EDU (Jeffrey Alguire)
Wed Nov 24 19:06:07 1993
Date: Wed, 24 Nov 93 18:52:22 EST
From: alguire@turing.scs.carleton.ca (Jeffrey Alguire)
To: kerberos@MIT.EDU
Hello:
My name is Jeffrey Alguire, and I am a Master of Computer Science student at
Carleton University in Ottawa, Ontario, Canada. My term project a Security
course I'm currently taking entails the evaluation of Kerberos 5 for use
within a major REAL MULTI-SITE MEDIUM TO LARGE-SIZED Corporate environment.
I will report to my professor as well as to the Security Department of that
corporation by Dec. 20, 1993. I will be expected to assess the feasibility
of use of the package within the given setting and to present a possible
implementation strategy (primarily from an administrative standpoint).
I have a problem that I would greatly appreciate your assistance in solving
if possible. I have read your Version 4 document of 1988 (Project Athena
Technical Plan, Section E.2.1, "Kerberos Authentication and Authorization
System", by S.P. Miller, B.C. Neuman, J.I. Schiller and J.H. Saltzer), and
some of the Version 5 document of September 1, 1992 ("The Kerberos Network
Authentication Service (V5)" by John Kohl and B. Clifford Neuman"). It seems,
though, that I have not been able to ascertain/comprehend some details
concerning INTER-REALM communication, an area which my analysis must strongly
focus on.
The corporation has many departments which may want to use separate realms.
In addition, it may wish to communicate with other organizations or authorize
resource access for those organizations in a secure manner. Finally,
reorganization is common, sometimes expected to necessitate the redefinition
of realm hierarchies.
I need to know more about inter-realm communication, especially the
administration thereof. For instance:
1. When people or resources must move from one realm to another, how can this
be done with minimal stress on realm administrators? If people were to
identify themselves and their departments in some secure manner at login
time, for example, could realm definitions (for the old + new realms) be
updated automatically in the case of a realm change for a user (either
immediately - which is preferable - or in batch mode)?
2. When low-level departments move between higher-level departments (where
there are Kerberos servers for both the lower and higher-level departments -
ie. a parallel Kerberos server hierarchy), what is the best secure way to
implement corresponding changes within the Kerberos Server hierarchy?
3. When new departments are created, or old ones renamed, how are new realms
created or names changed accordingly, and the changes reflected properly
in the realm tree?
4. (This one applies within a given organization, but is potentially more
complex in the inter-organizational case.)
When hierarchies are changed (perhaps with some potential legitimate
parties to communication being initially unaware of the change, as in the
inter-organizational case, for example, where one organization is not
initially kept fully informed of such changes in another that it interacts
with), how are local Kerberos servers kept informed so that transit paths
can be updated? Must this be done through (potentially cumbersome) extensive
administrator-to-administrator communication and manual 'fixing'? Can it
be automated via some Kerberos-authenticated protocol?
5. What special H/W requirements are there (eg. MIPS/Full-Time user, memory,
supported platforms, etc.) for running Kerberos? If one wishes to retain a
particular server process with special option settings for a small but
highly-specialized group that does not use the system enough to get good
utility out of the processor, can one safely run other servers (Kerberos
or otherwise) on the same host? Must all such servers belong to a common
realm?
That's all I can think of at the moment, but in general, I need to know all
about Kerberos installation and operational issues, especially as pertains to
administration.
Any help that anyone could offer would be greatly appreciated!
Sincerely,
Jeffrey C. Alguire
Graduate Student,
School of Computer Science,
Carleton University,
1125 Colonel By Drive,
Ottawa, Ontario, Canada.
K1S 5B6
Tel: (H) (613) 224-2393 / (613) 225-2393
(O) (613) 788-4333
e-mail: alguire@scs.carleton.ca
