[4329] in Kerberos
Re: request for commentary on krb IV server mod
daemon@ATHENA.MIT.EDU (Phi H Truong)
Tue Dec 13 10:13:47 1994
To: kerberos@MIT.EDU
Date: 13 Dec 1994 14:49:44 GMT
From: orion@iastate.edu (Phi H Truong)
Reply-To: orion@iastate.edu (Phi H Truong)
In article <199412120918.EAA13173@prez.mit.edu>,
Daniel G. Pouzzner <douzzer@prez.mit.edu> wrote:
>
>Hi all.
>
>I've just modified our kerberos servers to disable the inet_addr
>matching performed by krb_rd_req(). This allows us to have tickets
>(and AFS tokens) automatically set up when we telnet. I am of the
>opinion that the inet_addr checking offers no real additional
>security. A possible half-way in this area is to implement an
>"outstanding tgt" table in the kserver: tgt's and the hosts from which
>they may be used are recorded, and use of a tgt by a secondary host
>can only be endorsed by a request initiated from a host already in the
>list. Needless to say, the entire family of ticket files associated
>with the tgt simultaneously expire.
>
I am somewhat confused to what you were trying to accomplish. Are you
trying to do ticket forwarding or just to get telnet to work with
kerberos/AFS? For the former, I have some ideas but haven't tested. As
for the later, it would seem a bit drastic to change kerberos code just
to make telnet to work properly.
I can see ticket forwarding as a plus for doing rsh or rcp but not for
other things like telnet or rlogin.
--
_____
Phi H. Truong "Hmmmmmmmm....... "
orion@iastate.edu ISU Computation Center
Systems Analyst 237 Durham Center ph: (515) 294 -1420
