[892] in Kerberos
kerberos tickets and rlogin behavior
daemon@ATHENA.MIT.EDU (Nathaniel Howard)
Tue Mar 27 22:26:02 1990
From: buzz!nrh@bellcore.bellcore.com (Nathaniel Howard)
To: kerberos@ATHENA.MIT.EDU
Hi,
I'm fooling around with Kerberos, and recently had cause to feel a good
deal more foolish.
It's extremely common around here to rlogin from one's workstation to
someplace else, from there to a third place, and so on.
Not having a very firm grasp of Kerberos, I brought up klogin and friends
on one of our machines and tried to rlogin in to it using the kerberized
rlogin. Everything worked fine (congratulations!) but I got this message
that said:
Warning: No Kerberos tickets obtained.
After a great deal of fooling around and trying to avoid reading the
documentation and code, the light dawns: it's *impossible* for the
login program to obtain Kerberos tickets *unless* you give it a
password to obtain tickets *with*. If your Kerberos tickets on
what I'll call the "from" system are sufficient to let you into the "to"
system without giving a password, once on the "to" system, to go to
a third place (or to make any other use of kerberized services on the
"to" system) you'd have to retype your password.
Do I have this right? It seems a little limiting... It means that
users on the "to" machine would then have to type their passwords (over
the net) again before going from there to someplace else, and this is,
after all, part of what Kerberos was trying to avoid...
Of course, rlogin -x avoids some of this, but that's a lot of work...
