[874] in Kerberos
Re: Kerberos and adminstration of users
daemon@ATHENA.MIT.EDU (Jon A. Rochlis)
Wed Jan 24 20:16:34 1990
From: jon@MIT.EDU (Jon A. Rochlis)
To: lauer@BTC.KODAK.COM (Hugh C. Lauer)
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Your message of Wed, 24 Jan 90 17:33:26 -0500.
Am I overlooking something very simple and dumb, or am I expecting too
much of Kerberos?
I think you are expecting too much. Remember Kerberos is just
providing authentication service (it tells a service who you are),
nothing more. What you are asking for is authorization (should the
service allow you to access its resources, i.e. login in the case of
an remote login service).
Do I have to register all of the users of all of my
sites in a giant /etc/passwd file and propagate it everywhere? or what?
Basically you must have some authorization policy which your remote
login server implements. The most obvious is the default:
if kerberos user "a.b@r" tries to login as unix user xxx
look up xxx in /etc/passwd
if xxx doesn't exist deny the login (possibly failing
back to asking for an account/password, which
has *nothing* to do with kerberos)
if xxx does exist then
look in ~xxx/.klogin for a line authorizing
a.b@r to login as xxx. if found allow the login.
if ~xxx/.klogin doesn't exist allow the login
only if the kerberos name is xxx.null@local-realm
(I should mention that if you're logged into a unix machine as
"lauer", kinit as "testuser", and type "rlogin somehost", you will be
attempting to login to "somehost" as the unix user "lauer" with
Kerberos credentials of "testuser.null@local-realm". If you wanted to
login say, as root, you would need to do "rlogin somehost -l root",
and if testuser was in ~/.klogin on somehost you would win.)
The issue here as you note, is how you get /etc/passwd on the
thousands of machines you might find. You have a couple of realistic
options:
maintain accounts in a central database and download to each
server periodically
maintain accounts in a central database and have the servers
query nameservers to get the data (ala Yellow Pages
and Hesiod)
(note there are security issues with how this information is
delivered to the servers)
Athena has several systems which help out with authorization.
Including Moira (the service managment system) and Hesiod (the
nameserver). There are several papers about this available for
anonymous ftp from athena-dist.mit.edu, including a paper outlining
all the various services which make up the Athena distributed
environment. Kerberos is just one of the services. Expecting
Kerberos to provide all the services required to run such an
environment is asking a bit much.
-- Jon
