[7181] in Kerberos
Re: rkinit
daemon@ATHENA.MIT.EDU (Richard Basch)
Wed May 1 10:45:26 1996
Date: Wed, 1 May 1996 10:17:06 -0400
To: schemers@leland.Stanford.EDU (Roland Schemers)
Cc: kerberos@MIT.EDU
In-Reply-To: <4m71ap$k5@elaine22.Stanford.EDU>
From: "Richard Basch" <basch@lehman.com>
On , 30-April-1996, "Roland Schemers" wrote to "kerberos@MIT.EDU" saying:
> In article <199604302356.TAA03052@badger.lehman.com>,
> Richard Basch <basch@lehman.com> wrote:
> >Kerberos credential is not checked by AFS. In other words, you could
> >forward your afs ticket (hopefully encrypted in the rlogin or some other
> >session key) to the remote side, and then stuff that into the kernel,
> >using the appropriate pioctl() on behalf of the user. It does alleviate
> >the user having to retype their password merely to issue an rlogin
> >command.
>
> That is exactly what my kftgt program does. It securely forwards your tgt
> to a remote host. You can then use aklog to grab a token when you
> login. I hacked up /bin/login to do the aklog thing automatically.
I don't see how a forwarded TGT could work with Kerberos; the IP
addresses will be wrong. The afs ticket also could have the wrong IP
address, but the service (AFS fileserver) does not verify it. By
default, Kerberos services will reject any request not coming from the
IP address encrypted in the ticket -- AFS may be a Kerberos service, per
se, but it re-implemented the Kerberos decoding and neglected the IP check.
--
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
