[4809] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Communication after authentication

daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Wed Mar 15 13:40:13 1995

To: kerberos@MIT.EDU
Date: 15 Mar 1995 18:30:27 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)

In article <3k6pmo$rq5@nms.telepost.no>, Fornavn Etternavn <fornavn.etternavn@saga.telemax.no> writes:
|> After the user is authenticated and have contact with the file server,
|> does he have to send the ticket along with the request the first time
|> he contacts the server, or every time he contacts it?

This depends entirely on the file-service protocol being used.

The Kerberized NFS protocol implemented at MIT requires only one ticket
exchange:

1) When the NFS mount request is sent to the server, a service ticket is
included in the request.  The UID of the user on the client machine (which
I'll call cUID below) and the address of the client machine (cADDR) are also
included in the request.

2) The server verifies that the ticket is valid (of course) and then looks up
the principal in it in a local database which maps principals to UID's (I'll
call the resulting UID sUID).

3) An entry is inserted into a table in the kernel, telling the Kernel that
whenever an NFS request from cUID on host cADDR is received, it should be
interpreted as a request from sUID on the server.

4) Expired mappings (i.e., mappings generated by tickets that have expired)
are periodically purged from the kernel table.

AFS, on the other hand, transmits a token, which is sort of like a Kerberos
ticket but different :-), to the AFS server with every AFS request.

|> Is the ticket used to identify the two communicating parts, or 
|> is it no identification at all?

I don't understand this question at all.

-- 
Jonathan Kamens  |  OpenVision Technologies, Inc.  |   jik@cam.ov.com

home help back first fref pref prev next nref lref last post