[3668] in Kerberos
Re: S/KEY integrated with Kerberos?
daemon@ATHENA.MIT.EDU (Ganesan)
Mon Aug 8 13:51:36 1994
From: bf4grjc@socrates.MIT.EDU (Ganesan)
To: hendrick@ctron.com (James R. Hendrick)
Date: Mon, 8 Aug 1994 13:39:57 -0500 (EDT)
Cc: kerberos@MIT.EDU
In-Reply-To: <199408081632.MAA00837@marlins.ctron.com> from "James R. Hendrick" at Aug 8, 94 12:32:19 pm
Reply-To: bf4grjc@bell-atl.com
> If I am missing something here, please help me understand. Why can't the KDC
> store the user's S/Key (keyinit) passphrase similarly to how a standalone
> machine
As discusse, you can, but dont call it S/Key!
> would not get anything useful. My concern is that of the client's login program
> not knowing the proper sequence number initially. Should the login program
> on each client be made a registered principal so it can use it's own
> "password" to encrypt the whole sesion with the KDC? Or wouldn't the
> sending of a sequence number unencrypted outside the TGTGT be a problem?
In your scheme, i.e. storing x0 on the Kerberos server, the login program
need not even be altered. It decrypts TGT as usual, and hopefully,
verifies that the encrypted TGT really came from the KDC using a locally
stored service key. Only the KDC need keep track of sequences.
> P. S. Has anyone thought about how to keep the sequence numbers in-sync across
> multiple KDCs ??
Run kprop as cron job..ha ha ha. Seriously, the updates to the sequence
numbers in all KDCs in your scheme needs to be instantaneous, if not
I can steal the passphrase you used in talking to KDC1 and immediately
use it against KDC2.
If this is ever implmented, I would personally not recommend altering
the KDC functionality in any way. I would use the same external hooks
used to integerate token authenticators (your scheme is basically a
token authenticaion scheme without the harware) in KV5. See HW_AUTHENT
discussion in RFC 1510. I would then make each of your multiple KDCs
talk to your version of S/KEY (running as a separate server) and
build some sort of secure channel between all the KDCs and S/KEY.
Thanks,
Ravi
************************************************************
Ravi Ganesan
Senior Manager
Center of Excellence for Electronic Commerce, Bell Atlantic
e-mail: Ravi.Ganesan@Bell-Atl.Com
v-mail: (301) 236-7583
Fax: (301) 236-8569
************************************************************
