[444] in Kerberos
Re: Crossing Realms
daemon@TELECOM.MIT.EDU (Jon Rochlis)
Tue Jul 12 14:29:28 1988
From: Jon Rochlis <jon@BITSY.MIT.EDU>
To: Doug Alan <nessus@ATHENA.MIT.EDU>
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Doug Alan's message of Tue, 12 Jul 88 00:57:52 EDT,
From: Doug Alan <nessus@ATHENA.MIT.EDU>
Date: Tue, 12 Jul 88 00:57:52 EDT
Sender: nessus@WONKO.MIT.EDU
Before this will work, do KERBEROS.EECS.MIT.EDU and KERBEROS.MIT.EDU
have to have exchanged some kind of password between them so that they
will be able to identify each other? If so, is this done with the
usual service instance mechanism, with a password that goes in
/etc/srvtab? What is the name of this instance?
Yes you need to share a secret with each realm you want to play ball
with. It is not srvtab based. Rather the ATHENA realm has a entry for
krbtgt.EECS.MIT.EDU@ATHENA.MIT.EDU which has the same key as the entry
in the EECS realm for krbtgt.ATHENA.MIT.EDU@EECS.MIT.EDU ... (Give me
or Jeff or Ron a call if you actually want to do this and we'll set it up).
Then I have to add a line to /usr/etc/credentials on SERVER.MIT.EDU,
to grant access to nessus@ATHENA.MIT.EDU? What does this line look
like? "nessus@ATHENA.MIT.EDU:654"?
That would be my guess (that's what Sommerfeld maintained when the
credentials stuff was done). If it doesn't work that way it should.
Then I have to add a line to /etc/krb.realms on WS.MIT.EDU? What does
this line look like? "server.mit.edu EECS.MIT.EDU"?
Yes, I think that is right.
Is there anything else that I am missing?
/etc/krb.conf on WS.MIT.EDU has to have a line like
"EECS.MIT.EDU kerberos.eecs.mit.edu" in order for the workstation to
be able to figure out how to talk to the EECS kerberos server.
The basic idea is that you get a TGT for EECS from the ATHENA server
(krbtgt.EECS.MIT.EDU@ATHENA.MIT.EDU), and present it to the EECS
kerberos server in order to get a ticket for
rvdsrv.server@EECS.MIT.EDU (which has your identity
nessus@ATHENA.MIT.EDU sealed inside). You are not "authenticated" by
the EECS realm at all, you are authenticated by the ATHENA realm and
that is why you need to be able to specify a realm in the credentials
file (or any other kind of access control list you might think of).
-- Jon
