[3687] in Kerberos
Re: S/KEY integrated with Kerberos?
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Wed Aug 10 15:47:10 1994
To: kerberos@MIT.EDU
Date: 10 Aug 1994 15:13:47 -0400
From: tls@panix.com (Thor Lancelot Simon)
In article <MARC.94Aug10114707@dun-dun-noodles.gza.com>,
Marc Horowitz <marc@security.ov.com> wrote:
>>> Since the Annex already *has* a filesystem, it would seem to me that
>>> Xylogics must already have done most of the hard part of porting K4 to
>>> their box. I don't really understand why they didn't Do The Right
>>> Thing, and though it's my only substantial gripe about the Annex, I do
>>> wish they'd go fix it posthaste.
>
>You don't seem to understand the way the Annex does kerberos password
>checking. It passes the username and password (optionally encrypted,
>I hope you have this enabled!) to the erpcd on the unix host, which
>acquires the TGT on behalf of the Annex. So, they haven't actually
Yow. That is *not* how I remember the Annex manual phrasing things, but
you're certainly right, erpcd does seem to do that.
I don't see how that's any different from, or better than, the way the Annex
now just accesses a Unix password file. Ick, ick, ick.
Yes, I do have encryption turned on on my Annexes.
The functionality still is the same as if they'd done it the way I thought
they had, but you're right -- it does mean they'd have a lot more work than
I thought to redo it right.
>ported any of kerberos to their hardware.
>
>I also don't see why the filesystem bit is relevant.
Because it means they don't have to write any new code to handle caching tickets
anywhere special and the like. Not a big deal, but since I was assuming they
already had the protocol parts of the library ported, it seemed to be most of
what was left, no?
