[5084] in Kerberos
Re: Telnet and login (Kerberos 4)
daemon@ATHENA.MIT.EDU (Donald T. Davis)
Thu May 4 18:09:32 1995
To: whalenm@aol.com (Whalenm)
Cc: don@cam.ov.com, kerberos@MIT.EDU
In-Reply-To: Your message of "04 May 1995 15:41:46 EDT."
<3obalq$c82@newsbf02.news.aol.com>
Date: Thu, 04 May 1995 18:01:45 -0400
From: "Donald T. Davis" <don@cam.ov.com>
> If a user has the right tickets he can telnet to another machine
> without typing in a password. However, once they are on this
> second machine no ticket file is created for them. How would one
> automatically create this for them? need only krbtgt.realm@realm
> in the ticket file.
generally, it's not a good idea to propagate tickets to the
remote site automatically, because a telnet server is usually
a shared host, and therefore can't be trusted to protect the
remote tickets from other users. if kerberos' proxy mechanism
were in place already, the right thing to do would be to give
the remote tickets reduced powers, so that they're less
theftworthy.
-don davis, boston