[4934] in Kerberos
Re: Cross authentication question.
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Wed Apr 5 11:04:42 1995
To: kerberos@MIT.EDU
Date: 5 Apr 1995 14:52:04 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
In article <5APR95.14303994@pfc.mit.edu>, mrl@pfc.mit.edu (Mark London) writes:
|> Cross-realm authentication involves having the user create a .KLOGIN file in
|> the remote realm's home directory. In it you place the username and hostname
|> of the local realm. What I don't understand is why the need for the username?
|> I.e. is it possible to allow authentication if the principal names are
|> different in the different realms? If not, then it seems to me that the
|> remote username must match the local realm's principal name no matter what,
|> correct? Thanks.
I am having enough trouble understanding your question that I believe you must
be confused about something :-). Therefore, rather than trying to answer your
specific question, I will try to give a general description about how
rlogin/rsh authentication works.
Incidentally, when you post in comp.protocols.kerberos, you should mention
what version of Kerberos you're posting about and where you got it from. I'm
guessing that you're asking about Kerberos 4, because Kerberos 4 uses .klogin
and Kerberos 5 uses .k5login, but I could be wrong.
Now, let's say that a user in realm FOO.COM has an account on a machine in
that realm with the username foouser. He also has a Kerberos principal, named
fooprinc@FOO.COM.
Let's also say that his alma mater, whose Kerberos realm is PODUNK.EDU, has
left his account there, on a machine named alumni.podunk.edu, intact. His
username for that account is poduser, and his Kerberos principal is
podprinc@PODUNK.EDU.
Important note: Usernames and Kerberos principals do not have to be the same
(I think that's one of the things you're confused about). They only have to
be the same when the login program on a host uses Kerberos rather than the
/etc/passwd file to verify someone's password, and creates a Kerberos ticket
file for the user when he logs in. In that case, they have to be the same
because login only prompts for one username, so it has to be both the user's
username and his Kerberos principal name.
Now, foouser wants to be able to access his poduser account from work. He
therefore creates a .klogin file in his home directory at school, and puts
this in it:
fooprinc@FOO.COM
Now, when he wants to log into his accont at school from work, he uses
(assuming that the Kerberos 4 rlogin program is installed as "krlogin", and
that he already has Kerberos tickets as fooprinc@FOO.COM):
krlogin alumni.podunk.edu -l poduser
Some notes:
* Kerberos rlogin authentication doesn't check usernames at all. I.e., as
long as the Kerberos principal in the ticket sent over the wire matches a
Kerberos principal in the .klogin file, the user is allowed to log in as the
requested user.
* If the user didn't specify "-l poduser" with the krlogin command, then it
would try to log him in as foouser, since the default username sent by rlogin
is the local username, That would fail, since there presumably isn't a
foouser account on alumni.podunk.edu (or, if there is, he probably don't have
access to it, so it would fail for that reason).
Does any of this answer your question?
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com