[5399] in Kerberos
Re: Use of rcmd vs. unique service tickets...
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Fri Jun 16 14:33:55 1995
To: kerberos@MIT.EDU
Date: 16 Jun 1995 18:25:09 GMT
From: marc@cam.ov.com (Marc Horowitz)
Hi Derrell :-)
>> I could create a new service and require that my client systems obtain
>> new srvtab files, but I can't think of any reason why this would be
>> any more secure than simply using the existing rcmd service tickets.
Not knowing much about VMS, I'll talk about how one might make this
decision on a unix box, and hope that there is a useful analogy.
The idea is that a kerberos principal identifies some entity within an
administrative domain. The most obvious kind of principal is one
which names a person, like marc@CAM.OV.COM. The next kind most people
are familiar with is a host's principal, like
rcmd.dun-dun-noodles@CAM.OV.COM, which is my desktop machine's name.
This principal is used when the host is acting as itself, to verify an
rlogin or telnet, kick off a backup, or something like that.
Beyond that, there are other services which use kerberos which are
different logical entities from the host. For instance, if you use
kerberized pop, the principal name is usually pop.serverhost@REALM.
This could use the rcmd key, but since the pop server is logically
different, it uses a different name. This is useful for several
reasons. First, if the pop key is compromised, only mail is affected,
not all access to the host. (Of course, if an rcmd key is
compromised, the entire host is compromised, but that's a unix issue,
not a kerberos issue.) Second, you might choose to run the pop server
as daemon, instead of root. If you use a different name, you can put
the key in another srvtab file, and not have the pop daemon able to
read root's srvtab file at all. Third, if you have to change the key,
only pop is affected.
The last kind of name applies to entities which are distributed in
such a way that host naming simply does not apply. Example are
zephyr, which uses a name of zephyr/zephyr@REALM. The same key exists
in a srvtab on all replicated servers. The same is true for afs
(afs.afs-realm@KERBEROS-REALM), and the kerberos ticket-granting
service itself (krbtgt.REALM@REALM).
So, the answer is that if the service you are using is identified with
the host it is running on, then using the rcmd key is appropriate.
Otherwise, it would be best to choose another key.
Hope this helps.
Marc
