[609] in Kerberos-V5-bugs
Shortcuts in Cross Realm Authentication
daemon@ATHENA.MIT.EDU (Doug)
Mon Aug 1 09:58:50 1994
Date: Mon, 01 Aug 94 08:58:32 CDT
From: "Doug" <Engert@anl.gov>
To: <GLENZ@OCSG.COM>
Cc: <KRB5-BUGS@MIT.EDU>, <AUTH-PILOT@ES.NET>
Glen,
Glad to here that others are interested in this problem as well.
The shortcut code I submitted to MIT WAS for 5.4.1 and works in
conjunction with the standard hierarchical cross realm
authentication.
Back around April 1, we exchanged notes on cross realm where you
asked about the "V4-style inter-realm authentication", thats
where two realms share keys directly. If that is your
modification, then it is there and does work.
I looked in 5.4.1 and 5.3 to see if there was any other changes
which would do cross realm authentication like the shortcuts. All
I see is the V4-style inter-realm authentication. I don't see
anything which looks like a shortcut code. Walk_rtree.c are
identical, gc_via_kdc.c and gc_via_tgt.c look like bug fixes
only. If the V4-style inter-realm authentication is not yours,
then I would be interested in which modules you changed in 5.4.1.
I would also be interested in how you can do the routing without
having a configuration file. For example, how would you pick a
"route" when you have realms like this:
o ANL.GOV, FNAL.GOV, LLNL.GOV, PNL.GOV, and NERSC.GOV all are
members on ES.NET and want to cross authenticate using the
ES.NET realm.
o But ANL.GOV, and FNAL.GOV are also members of HEP.NET, and
would rather cross authenticate using HEP.NET rather then
ES.NET. (An example, ANL and FNAL have not discussed this.)
Also note that all subrealms of all these organizations can use
these shortcuts as well. i.e. ECT.ANL.GOV could cross
authenticate to CTD.PNL.GOV by following the path:
ECT.ANL.GOV
ANL.GOV
ES.NET
PNL.GOV
CTD.PNL.GOV
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
----- ------ ----- ----- ----- ----- ----- ----- ----- -----
Received: from ANLVM by ANLVM (Mailer R2.07B) with BSMTP id 3904; Sun, 31 Jul
94 12:27:49 CDT
Received: from anl.gov by ANLVM.CTD.ANL.GOV (IBM VM SMTP R1.2.2ANL-MX) with TCP;
Sun, 31 Jul 94 12:27:48 CDT
Received: from kerby.ocsg.com by anl.gov (4.1/SMI-4.1)
id AA11201; Sun, 31 Jul 94 12:27:50 CDT
Received: from geek.ocsg.com.ocsg.com (geek.ocsg.com [192.156.168.97]) by
kerby.ocsg.com (8.6.9/8.6.4, dpg hack 10jan94) with SMTP id KAA27255 for
<DEEngert@anl.gov>; Sun, 31 Jul 1994 10:27:45 -0700
Received: by geek.ocsg.com.ocsg.com (4.1/SMI-4.1)
id AA29250; Sun, 31 Jul 94 10:31:14 PDT
Date: Sun, 31 Jul 1994 10:28:00 -0700 (PDT)
From: Glen Zorn <glenz@ocsg.com>
Subject: Re: Shortcuts in Cross Realm Authentication
To: Doug Engert <DEEngert@anl.gov>
In-Reply-To: <9407281948.AA13658@MIT.EDU>
Message-Id: <Pine.3.05.9407311055.C29240-a100000@geek.ocsg.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Doug ~
We have had shortcut (as well as standard hierarchical) inter-realm
authentication running for some time, without extra config files). We
submitted our changes to MIT, and I believe that they were included in B4.
Check it out!
~ gwz
Glen Zorn Senior Scientist
glenz@OCSG.COM CyberSafe Corporation
Since I was forced to write it by the alien parasite which attached itself to
my brain stem during my recent visit to an isolated area of Northern Arizona,
it could hardly be construed that this message would reflect either the
opinions or policies of my employer.
