[3966] in Kerberos
Re: cross-realm authentication
daemon@ATHENA.MIT.EDU (Derek Atkins)
Fri Sep 30 13:08:09 1994
To: Alexander Seth Jones <ajones@ctron.com>
Cc: kerberos@MIT.EDU
Date: Fri, 30 Sep 1994 12:09:50 EDT
From: Derek Atkins <warlord@MIT.EDU>
> How have people gotten cross-realm authentication to work? I would assume
> that users who wish to authenticate across realms must have principals in
> both realms, but how does setting up machines work? Do machines have to be
> in each other's realms as well? In other words, would a machine have to have
> an rcmd service key for both realms in order for one user to authenticate to
> the other machine in the different realm?
You assume incorrectly. The purpose of cross-realm authentication is
to allow users in one realm to authenticate to services in another.
For example, I, as "warlord@ATHENA.MIT.EDU" can authenticate to a
service at some other location (say "zephyr.zephyr@IASTATE.EDU)
without having to have a "warlord@IASTATE.EDU" principal.
The way this works is that the two kerberos servers for the two realms
(athena and isu in my example) have a shared key, and the server can
use that key to trust tickets made by the other server. Basically,
this key acts as a srvtab between the two realms -- for the
principal's realm is it acts as a service ticket, and in the remote
realm it acts as a srvtab.
To answer your rcmd question: the answer is a definite no. You do not
need two rcmd tickets, only one. Just made sure the krb_realmofhost()
gives the proper kerberos realm and the shared keys are in place and
working. Then you can authenticate properly. The only caveat is that
kuserok() does check the realm of the user, so you will have to
remember to set your .klogin files properly.
Hope this helps
-derek
Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
Home page: http://www.mit.edu:8001/people/warlord/home_page.html
warlord@MIT.EDU PP-ASEL N1NWH PGP key available
