[6794] in Kerberos
Combining Kerberos/DCE with SecureId/SKey authentication
daemon@ATHENA.MIT.EDU (Ed Hill)
Thu Feb 29 20:05:14 1996
To: kerberos@MIT.EDU
Date: 29 Feb 1996 16:39:10 -0600
From: edhill@strobe.weeg.uiowa.edu (Ed Hill)
Hello,
The Kerberos model works great when you have a kerberos client to authenticate
to and then pass your tickets around the net. I'm using both DCE and Kerberos
from my desktop to bounce around machines within our net.
But, when I dial in from home or from another insecure net without DCE/Kerberos
clients, I don't want to run kinit or dce_login since I would have to type in
my DCE/Kerberos over an insecure net, defeating the purpose of having DCE or
Kerberos installed.
I can install S/Key or SecureID systems on hosts that would allow me to connect
using non-reusable passwords, but I don't want to have to install two
authentication packages on each system. What I would really like is to have a
single proxy that I have install S/Key on that I can connect to, and then get
my Kerberos or DCE tickets.
I understand that this is not possible, without embedding your DCE/Kerberos
password somewhere on that system.
How do others solve this problem - do you solve it? In the Kerberos FAQ it
mentions that it would be possible to incorporate a challenge-response type of
password authentication, but is anyone really working on it. Are there people
out there who try to solve this problem? If so how?
-Ed Hill (ed-hill@uiowa.edu)
Systems Administrator - Information Technology Services - University of Iowa
"I am Homer of Borg, prepare to be assim... Ooooooooh donuts!"
