[7059] in Kerberos
Re: login.krb5 problem
daemon@ATHENA.MIT.EDU (Donn Cave)
Thu Apr 11 00:00:14 1996
To: kerberos@MIT.EDU
Date: Wed, 10 Apr 1996 10:09:01 -0700
From: donn@u.washington.edu (Donn Cave)
Taking the opposite tack, I'm interested in people's perspectives
on whether this is a good idea, or a bad idea.
If I understand Tom right, he's asking "login" to get and save Kerberos
credentials, like "kinit" would.
I think one of my colleagues here did something like that for DCE,
before he left, and I expect that this concept will be appealing to
my group. We're survivors from the mainframe era, still running
centralized computer services for the campus, and this central
facility is all we control and support.
In theory, the ideal Kerberos environment obviously reaches outside
our domain, to desktop workstations, terminal servers and so forth,
and the kinit authentication step belongs out there, rather than on
our central hosts. Unfortunately, though, in practice we can't make
that happen, since we have no control over and little involvement
with this area. And even if we did have some influence, it's hard to
be optimistic about the software support for it - it does not seem
that DCE/K5-ized environment (kinit), and applications - web browsers,
mail clients, ftp, etc. - are particularly abundant for even the most
common PC platforms, and then there are X terminals and so forth
In a few years, it may be a more attractive market for this kind of
software, but for now even vaporware would be encouraging.
Yet we want DCE, mainly for DFS at the moment, and we can make
an internally kerberized environment on our central hosts. So that's
what I suppose we're likely to do, make the best of a ``single-login''
environment on our UNIX computers. My concern is that we could
undermine what was already the really tricky part. By making the
the best of this essentially inappropriate model - hiding a kinit in
our login, stripping the Kerberos warnings out and so forth, we'd
sugar-coat its inadequacies and actually obscure the role that their
own PC Kerberos environment could play, if they could find one.
So, what do you think - any qualms about putting kinit into login?
Donn Cave, University Computing Services, University of Washington
donn@u.washington.edu
