[4451] in Kerberos
Re: [Q] A Kerberos question.
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Sun Jan 8 22:20:04 1995
To: kerberos@MIT.EDU
Date: 9 Jan 1995 03:05:18 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
(Cross-posted to and followups redirected to comp.protocols.kerberos.)
In article <3epi00$i3l@newsbf02.news.aol.com>, ocgrp@aol.com (OCGRP) writes:
|> If a user on a workstation logs into the Kerberos Server using the kinit
|> program.
Users do not, "log into" the Kerberos server using kinit. Kinit is used to
obtain a ticket-granting ticket from the Kerberos server and to decrypt that
ticket using the user's password.
|> Then the user TELNET�s into a UNIX server (assume TELNET
|> supports Kerberos). Now the user wants to TELNET again to another server
|> from the UNIX server already logged onto.
|>
|> Does the user need to re-issue the kinit program from the UNIX server to
|> login to the Kerberos Server again (to get a new session key and ticket
|> for the Ticket Granting Service) before the TELNET to the next server can
|> occur?
|>
|> User Workstation ----telnet---> UNIX Server ----telnet ---> Server
The Kerberos 5 protocol supports ticket forwarding, so that a user on host A
can forward a ticket to host B in a secure manner without rerunning kinit and
retyping a password, and then use that ticket on host B to access another
Kerberos-authenticated service.
However, Kerberos 4 has no support for ticket forwarding, and furthermore,
many of the Kerberos 5 implementations currently available don't support it
either. Watch for more of them to support it in the future, though.
In any case, in the absence of ticket forwarding support, a user can get
tickets securely on host B (the "UNIX Server" in your scenario) by running
kinit in an encrypted telnet connection from host A to host B, so that the
user's passwrod is not transmitted in plaintext over the network.
|> Who distributes the kinit program in a commercial environment, is it the
|> Kerberos Server vendors, each operating system vendor, or the users
|> responsibility to port it to each operating system required?
I'm not sure what you mean by "in a commercial environment." There are
commercial software vendors who sell Kerberos implementation, including both
Kerberos server software and Kerberos client software such as kinit. Some
operating systems (e.g., BSD 4.4 and I believe Ultrix) come with Kerberos
clients and servers already installed as part of the base operating system.
Some vendors of modem annex hardware support Kerberos in their hardware, so
that users can dial in, get Kerberos tickets on the modem server, and then
make Kerberos-authenticated connections to other servers on the network.
Finally, the source code to Kerberos is freely available, so if you don't have
it already and don't want to pay for it, you can get it yourself and compile
it for your own use.
If you want more specific information, I'd say you should ask more specific
questions.
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
