[893] in Kerberos
re: kerberos tickets and rlogin behavior
daemon@ATHENA.MIT.EDU (John T Kohl)
Wed Mar 28 13:48:31 1990
From: John T Kohl <jtkohl@ATHENA.MIT.EDU>
To: buzz!nrh@bellcore.bellcore.com (Nathaniel Howard)
Cc: kerberos@ATHENA.MIT.EDU
... it's *impossible* for the
login program to obtain Kerberos tickets *unless* you give it a
password to obtain tickets *with*. If your Kerberos tickets on
what I'll call the "from" system are sufficient to let you into the "to"
system without giving a password, once on the "to" system, to go to
a third place (or to make any other use of kerberized services on the
"to" system) you'd have to retype your password.
Do I have this right? It seems a little limiting...
It depends on your typical mode of use. At Project Athena, users log
into a workstation, get tickets there, and then occasionally log into
other machines from there.
In most cases, the user goes only ONE HOP, from the workstation to the
target machine, so there's not a problem.
John
