[4318] in Kerberos
request for commentary on krb IV server mod
daemon@ATHENA.MIT.EDU (Daniel G. Pouzzner)
Mon Dec 12 04:27:16 1994
Date: Mon, 12 Dec 1994 04:18:01 -0500
From: "Daniel G. Pouzzner" <douzzer@prez.mit.edu>
To: kerberos@MIT.EDU
Hi all.
I've just modified our kerberos servers to disable the inet_addr
matching performed by krb_rd_req(). This allows us to have tickets
(and AFS tokens) automatically set up when we telnet. I am of the
opinion that the inet_addr checking offers no real additional
security. A possible half-way in this area is to implement an
"outstanding tgt" table in the kserver: tgt's and the hosts from which
they may be used are recorded, and use of a tgt by a secondary host
can only be endorsed by a request initiated from a host already in the
list. Needless to say, the entire family of ticket files associated
with the tgt simultaneously expire.
What does krb V have to say about this stuff?
Here is a sample session with our current setup:
-* klist
Ticket file: /tmp/douzzer/tkt_4346_10595
Principal: douzzer.root@BRAIN.MIT.EDU
Issued Expires Principal
Dec 11 22:13:32 Dec 12 08:13:32 krbtgt.BRAIN.MIT.EDU@BRAIN.MIT.EDU
Dec 11 22:13:36 Dec 12 08:13:36 rcmd.ladyday@BRAIN.MIT.EDU
-* telnet -l root ladyday
Trying 18.88.1.2...
Connected to ladyday.brain.mit.edu.
Escape character is '^]'.
[ Trying KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
Last login: Mon Dec 12 03:31:29 from PREZ.MIT.EDU
SunOS Release 4.1.3_U1 (LADYDAY) #1: Wed Aug 31 14:18:59 EDT 1994
ladyday(tcsh)# klist
Ticket file: /tmp/tkt_ttyp2.pid7371
Principal: douzzer.root@BRAIN.MIT.EDU
Issued Expires Principal
Dec 11 22:13:32 Dec 12 08:13:32 krbtgt.BRAIN.MIT.EDU@BRAIN.MIT.EDU
Dec 12 03:43:39 Dec 12 08:13:39 afs.brain.mit.edu@BRAIN.MIT.EDU
ladyday(tcsh)# tokens
Tokens held by the Cache Manager:
User's (AFS ID 69882) tokens for afs@brain.mit.edu [Expires Dec 12 08:13]
--End of list--
ladyday(tcsh)# exit
logout
Connection closed by foreign host.
[/bin/login runs dest_tkt() and scratches the AFS tokens when the
shell exits]
