[875] in Kerberos
re: Kerberos and adminstration of users
daemon@ATHENA.MIT.EDU (Jerome H Saltzer)
Thu Jan 25 15:37:07 1990
To: lauer@BTC.KODAK.COM (Hugh C. Lauer), jon@MIT.EDU (Jon A. Rochlis)
Cc: kerberos@ATHENA.MIT.EDU
From: Jerome H Saltzer <Saltzer@MIT.EDU>
In-Reply-To: Message of Wed, 24 Jan 90 19:35:38 EST
Jon is correct that the question here is one of authorization policy, which lies
outside Kerberos. However, it may not be so hard to create a policy that does
what Hugh needs. The key is his assertion that he is prepared to trust the
various administrators of his several systems.
Suppose he were to modify the remote login server policy to be something like
the following:
if kerberos user "xxx@r" tries to login as unix user xxx
look up xxx in /etc/passwd
if xxx doesn't exist then
if "r" is the realm that this system trusts ("local-realm")
create user xxx, with password "*"
if not, deny the login
if xxx does exist then
look in ~xxx/.klogin for a line authorizing
xxx@r to login as xxx. if found allow the login.
if ~xxx/.klogin doesn't exist allow the login
only if the kerberos name is xxx.null@local-realm
That is essentially the same policy we use on Athena workstations (with regular
login, rather than rlogin) and it seems to have approximately the properties
that Hugh requires. Making the same change in policy to local login would
permit a Kerberos-registered user to walk up to a system at a different site and
login.
Jerry
