[3171] in Kerberos
passing AFS tokens
daemon@ATHENA.MIT.EDU (John Gardiner Myers)
Sun Apr 24 22:42:16 1994
To: kerberos@MIT.EDU
Date: Sun, 24 Apr 1994 21:56:20 -0400
From: John Gardiner Myers <jgm+@CMU.EDU>
AFS and the Transarc kaserver always ignore the IP address associated
with the token.
I've implemented a variant of the kerberized rsh/rlogin which passes
over an encrypted ticket-granting credential. The server side then
uses that to obtain an AFS ticket. Unfortunately, I can't release the
code as our login is derived from Transarc code.
I've always found the IP address checks to be the most annoying facets
of Kerberos. It's not as if they really buy you anything in the way
of security.
--
_.John G. Myers Internet: jgm+@CMU.EDU
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
