[4259] in Kerberos
Re: remote kpasswd
daemon@ATHENA.MIT.EDU (warlord@MIT.EDU)
Tue Nov 29 19:21:44 1994
From: warlord@MIT.EDU
Date: Tue, 29 Nov 94 19:03:49 EST
To: stripes@uunet.uu.net (Josh Osborne)
Cc: warlord@MIT.EDU (Derek Atkins), brian@nothing.ucsd.edu,
hobbit@asylum.sf.ca.us, mcguire@rocinante.digex.net, kerberos@MIT.EDU
In-Reply-To: "[4242] in Kerberos"
> Not to belittle your fine idea, but having recently been involved in a
> situation where it was decided by others that "doing TCP/IP will be harder
> then our own little magic protocall", I can tell you that it isn't. A
> minimal TCP/IP + telnet + some of the "standard services" (TCP chargen,
> UDP echo) has been written in less then 8K of ROM on a machine with
> less then 3K of RAM (this was an embedded CPU with a 6502 core).
I'm truly impressed with this, however that doesn't solve a number of
problems. First, it means that every dialup client has to be given
it's own IP address and support PPP. Second, the server side needs to
start decoding PPP for every client. Third, it doesn't help when you
are logged through multiple hops.
The extra-IP address problem is fairly simple to come by, just get one
IP address per phone line. But in this case, what is the difference
between offering PPP dialup and a shell account?
The server-side load is more difficult. Before, you could just have
modems connected to serial ports on machines and run getty. Now you
actually need terminal servers that can decode PPP packets, which adds
to the expense and the overhead of the system.
As for the third problem, you can't necessarily run PPP inside a
telnet connection. For example, using my code, I could be dialed up
to a machine in Cleveland, which is insecure, and then log in securely
to my MIT account. Could you do that with PPP? I doubt it!
> (yeah - I would prefer to have Kerberos over a magic protocall to just
> a plain wire, but I would prefer kinit over TCP + ktelnet and/or krlogin
> over TCP)
This works well if you are in a situation where you have the ability
to use PPP. It requires a lot of extra dialup IP addresses, it
requires a TCP/IP stack on your client machine, it requires much more
work on the remote/server side of the connection (rather than a
bare-wire connection), and it wont work over multiple hops.
In my thesis, I even state that if you have PPP, or some type of IP
connectivity, then my work is probably moot. However in many cases it
is much easier to just add a single program to your client machine.
Normal people find it much easier to just "run this program and type
your kerberos password".
-derek
