[3653] in Kerberos
Re: S/KEY integrated with Kerberos?
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Sat Aug 6 21:13:32 1994
Date: Sat, 6 Aug 94 21:01:00 EDT
From: Thor Lancelot Simon <tls@panix.com>
To: tytso@MIT.EDU (Theodore Ts'o)
In-Reply-To: Your message of Sat, 6 Aug 94 10:54:09 EDT
Cc: kerberos@MIT.EDU
> :-) What makes you think that simply because the login program on
> net-dist supports S/Key has any relationship to Kerberos?
>
> There have been some thoughts about how you might do it; it would
> involve the use of public-key technology, though, and require that you
> run a separate S/Key->TGT server on your Kerberos server. We haven't
> sat down and seriously designed it though, and it's most probably won't
> be appearing in the next beta. :-)
Your idea about how to do it sounds more or less like my idea about how to do
it. I spent about ten minutes looking at the crimelab s/key distribution's
"skey server" (don't bother; it's horrbily insecure) shuddered in fear,
thought about how to do it right, and then thought, "oh, hey, why not make the
`skey server` hand out a Kerberos TGT", shuddered in fear again (because I
don't understand Kerberos internals well enough to believe I could do that
correctly) and just figured that someone, somewhere would get around to it.
But it's an idea whose time is clearly at hand. Unless something's changed
since I last used them, even Athena's own terminal servers don't have Kerberos
support, and I seriously doubt that any substantial percentage of the people
who use the athena.dialup machines from outside kinit to get there. The
Kerberos installation at Usenix was a disaster because there weren't any
secure machines to run kinit on. (Having spent four hours trying to find
someone from NCR who could build a kinit binary for their X terminals and
solve the problem, I know this from painful experience.)
An S/KEY TGT server would eliminate the "dumb terminals can't speak Kerberos"
problem (or rather do an end-run on it), wouldn't it? It seems to me that
there must be an enormous demand for that, both at MIT and outside.
