[4906] in Kerberos
Re: MIT Kerberos vs DCE-Kerberos
daemon@ATHENA.MIT.EDU (Jon Mauney)
Sat Apr 1 15:17:11 1995
To: kerberos@MIT.EDU
Date: 1 Apr 95 18:48:04 GMT
From: mauney@tophat.MIT.EDU (Jon Mauney)
Reply-To: jon@mauney.com
mikef@ack.berkeley.edu (Mike Friedman) writes:
>o What are all the areas of incompatibility between DCE-Kerberos and MIT
> Kerberos V5? I am familiar in general terms with some of them, but would
> like as complete a picture as possible.
From the DCE FAQ:
Q 29: Does DCE Security interoperate with other Kerberos systems?
Basically, no, or maybe yes, depending on what you want to do.
To use authenticated DCE services, you must have credentials from
the DCE security service; vanilla Kerberos v5 tickets aren't sufficient.
But then, to use DCE services you must be using DCE RPC, so this
is not really a problem.
Going the other way, it is expected that a DCE security server
can issue tickets that can be used by vanilla Kerberos applications.
The OSF was wary of promising this until the Kerberos v5 specs were
published, but now that the Kerberos RFC has been published, OSF
anticipates guaranteeing interoperability sometime "soon".
In a little more detail, the way to think about this is as follows:
Kerberos offers 2 services (Authentication Service, Ticket
Granting Service) over 1 communication mechanism (UDP port 88).
DCE security offers 3 services (AS, TGS, Privilege Service) over
2 communication mechanisms (UDP port 88, RPC).
Where Kerberos and DCE security intersect (AS, TGS over UDP port
88), the services are identical.
> (a) Vendor issues. Who supplies DCE and what is the quality of support?
> (b) Available platforms -- operating system and hardware.
DCE is supported on most Unix platforms, as well as (Open)VMS,
OS/2, Windows NT, etc. General DCE is sold and supported by the OS vendor,
but Digital and Gradient have products for Windows NT, Transarc sells
DCE for Solaris.
It will cost you on the order of $5k for the DCE servers. Runtime client
licenses will be needed for all the hosts that run the DCE-based product;
runtime licenses are now fairly cheap and often bundled with the OS.
>o With respect to my first item above, is anyone working on resolving the
> technical incompatibilities between MIT K5 and DCE-Kerberos, so that, for
> example, one could run MIT K5 servers and authenticate DCE-based clients
> (as well as MIT K5 and K4 kerberized clients)?
You'll have to do it the other way around: DCE security providing
support for MIT k5 clients. DCE v1.1 supports the GSSAPI
(Generic Security Service Application Program Interface )
--
Jon Mauney jon@mauney.com
Mauney Computer Consulting (919) 828-8053
Raleigh NC
"Have TGT, will travel."