[4872] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Proposal for a SmartCard-Kerberos Implementation

daemon@ATHENA.MIT.EDU (Joe Ramus)
Mon Mar 27 14:46:20 1995

Date: Mon, 27 Mar 95 11:07:47 PST
From: ramus@nersc.gov (Joe Ramus)
To: kdrenard@arl.mil, kerberos@MIT.EDU, psszjan@psab.posten.se

>> From: psszjan@psab.posten.se

>> I'm not i Kerberos guru, but I think this is not the correct way to
>> implement Smart Card with Kerberos. SecurId is not what I call a Smart
>> Card. There are several standardized Smart Card concepts delivered by
>> for example Siemens, Bull and Philips, which I think is what should be
>> used. With SecurID you use a person to handle the communication between
>> card and computer. In our organization, that is not what users want. 
>> User requirement is an easy-to-use single logon to all the systems they use.
>> 
>> We have tested SecurID, and it is a technical well working product, but it
>> is not accepted by the users.
>> > 
>> > Environment:
>> > 	Kerberos 5 realm
>> > 	SecurID code is a one-time-use, time dependent, seeded (with PIN
>> > 	  entered onto card), password generating algorithm.  (You may
>> > 	  explore the applicability of your smart-card system)
>> > 	SecurID-only is not acceptable: (need SecurID code for every rsh, rcp)
>> > 	Users require access from various, unknown, "untrusted" hosts.
>> -- 
>> Jan Andersson                           e-mail: psszjan@psab.posten.se

I think there are 2 cases here.
The Smart Card that Jan Andersson refers to is most likely a card
which you insert into some sort of card reader.  That has some useful
benefits.  But what happens when you are off someplace at a site that
does not have such a card reader?

A card such as SecurID or others that have a human interface can be
used at any time from any kind of a terminal.

Also, the statement:
>> > 	SecurID-only is not acceptable: (need SecurID code for every rsh, rcp)
is misleading.

If a card such as SecurID is used to perform a Kerberos
authentication, then the Kerberos credentials can be used to securely
perform rsh, rcp, rlogin, telnet, ftp, etc.  Kerberos credentials can
also be securely forwarded to another host and used there to safely and
securely access services provided by that host.

----------------------------------------------------------------
| Joe Ramus  NERSC Livermore  (510) 423-8917   ramus@nersc.gov |
----------------------------------------------------------------

home help back first fref pref prev next nref lref last post