[3169] in Kerberos
Re: Kerberized FTP
daemon@ATHENA.MIT.EDU (michael shiplett)
Sun Apr 24 18:32:48 1994
To: kerberos@MIT.EDU
Date: 24 Apr 1994 21:22:08 GMT
From: walrus@enchanter.ifs.umich.edu (michael shiplett)
Reply-To: michael.shiplett@umich.edu
"rs" == Roland Schemers <schemers@leland.Stanford.EDU> writes:
rs> In article <WALRUS.94Apr24155830@enchanter.ifs.umich.edu>,
rs> michael shiplett <michael.shiplett@umich.edu> wrote:
>> Now that kerberos works, I guess it's time to modify ftpd to get an
>> AFS token.
rs> How were you planning on doing that?
[some good ideas deleted]
Actually, I hadn't thought too much about it since I'm trying to get
kftp going in my spare work time--compiles, short breaks, avoiding
single project burn-out, etc. Ftpd is such an annoying creature
compared to telnetd, e.g., I can install vanilla ktelnetd without
impacting any existing users (read "people with non-kerberized
telnet") since the bulk of the work is handled by AFS login, but
installing kftpd requires AFS modifications in order for users to
access non-system:anyuser directories.
I like both the "site klog" approach in that it's
simple--essentially the same as "ktelnet foo" followed by "klog" once
one is connected to foo. Passing a ticket from one machine to another
isn't as nice in that it requires AFS ignore the ip address associated
with the token. I did like the other approach you mentioned, which
I've summarized in the following exchange.
foo% ftp bar
a) <bar and foo do the usual mutual authentication dance>
b) <bar requests an afs ticket for user>
c) <bar passes user ticket to foo>
d) <foo decrypts user ticket>
e) <foo sends decrypted ticket to bar>
f) <bar converts ticket to token and slams it in the kernel>
ftp> unlog
g) <bar removes token from kernel>
ftp> quit
I think (f) would require the user to enter his password on machine
foo, but I haven't thought much about this. This exchange could also
be done for ktelnet.
michael
