[7144] in Kerberos
Re: Dial-In Servers and Kerberos
daemon@ATHENA.MIT.EDU (warlord@MIT.EDU)
Mon Apr 22 19:34:16 1996
From: warlord@MIT.EDU
Date: Mon, 22 Apr 1996 19:21:13 -0400
To: Sam Hartman <hartmans@MIT.EDU>
Cc: nhenry@netcom.com (Neil R. Henry), kerberos@MIT.EDU
In-Reply-To: "[7132] in Kerberos"
My Bachelor's Thesis was on remote kerberos authentication. The idea
was to provide a means to use Kerberos as an authentication system
securely even when access to the KDC was denied. For example, it
allows a user to dialup up to a machine on the network and log in
using kerberos, but provide a secure kerberos connection.
The system I designed required knowledge of Kerberos on the end client
(your home machine), and the login server would perform a handshake
between the client and the KDC. Users type their password locally and
the Kerberos ticket validation is done locally as well. Using this
system you never have to type your password over the phone line.
The thesis is entitled "Charon: Kerberos Extensions for Authentication
over Secondary Networks" and is available via this URL:
ftp://toxicwaste.mit.edu/pub/charon/thesis.ps.Z
The code has never been released, however if there is enough interest
I might release the raw sources. It is not close to release quality,
even though I do use it personally.
-derek
PS: It also works well with proxy firewalls: I use charon to log into
my MIT account from work through the firewall -- authenticating using
kerberos without typing my password over the network.
