[442] in Kerberos
interested in authentication for batch jobs
daemon@TELECOM.MIT.EDU (Jerry Scharf)
Mon Jul 11 21:44:17 1988
From: Jerry Scharf <jerry@PIONEER.ARC.NASA.GOV>
To: kerberos@ATHENA.MIT.EDU
Cc: bkaufman@PIONEER.ARC.NASA.GOV
Hi, I'm new to the group. If this has been discussed before, please point
me to the archives (and even tell me where they might be.)
I am interested in using Kerberos as the authenticator for some of our machines.
I have read some papers on the subject and think I understand most of the
ideas involved. I have some problems when I get to systems that are both batch
and interective in usage. The time limit of 22 hours (255 5 minute ticks) is
limiting in both the run time and the wait time before a job runs. In the
interactive use, the user is required to retype their password, which doesn't
seem to work for a batch job. There is also the problem that Kerberos doesn't
have the idea of an authenticated agent that I could see. The way I look at it,
the batch job itself is not authenticated, but instead is operating as an agent
of the authenticted user. This means that all the tickets of the user should
be passed to the batch job, along with the decrypting key of the user. This
looks unsafe to me at first glance.
Are there any cheap workarounds to these problems that don't compromise the
security? Are there any plans to extend Kerberos in some of these directions?
Can people point me to the liturature that will help me understand this, or
better yet send me copies of papers by email?
(Will Spaceman Spiff live through the next episode)?
Jerry Scharf
NASA Ames Research Center
