[612] in Kerberos-V5-bugs
More on Shortcuts
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Aug 2 09:53:25 1994
Date: Tue, 02 Aug 94 08:53:07 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <bcn@ISI.EDU>
Cc: <krb5-bugs@MIT.EDU>, <auth-pilot@es.net>
Clifford Neuman writes:
>> I know that the Beta 4 code submitted by CyberSAFE does support
>> shortcuts. I tested it myself. Note that the shortcut is provided by
>> the KDC when responding to a request. If the requested realm is not
>> present, it will return the ream closest to the target for which it
>> does share a key. Are you sure that you are not running a mix of old
>> code with local mods with only some functions from Beta 4.
I am running the krb5.src.B4-1.tar.Z and krb5.crypto.B4-1.tar.Z
with isode.tar.Z from k5.3 for some archs built with Imake.
Can you point me at some code which I can look at to
verify if I have the CyberSAFE mods?
You said "it will return the ream closest to the target for which
it does share a key." How do you define closest? Does it depend
on the realm names, and check all the realms returned by the
walk_rtree routine to see if it has a key?
But the code I submitted does more. It alters the list returned
by walk_rtree, and insert and/or deletes realms. As such it may work
with the CyberSAFE code, if the CyberSAFE uses the walk_rtree
list.
The ESNet Authentication Pilot Project is trying to use cross
realm authentication by having a ESNet realm which will share
keys with the rest of the member organizations. i.e. 2N rather
then N(N-1) keys. These organizations don't want to have their
realm names depend on the name of the ESNet realm. Therefore just
walking the realm names will not work. on the
I sent this example yesterday to Glen Zorn, Can the CyberSAFE
code handle this situation:
I would also be interested in how you can do the routing without
having a configuration file. For example, how would you pick a
"route" when you have realms like this:
o ANL.GOV, FNAL.GOV, LLNL.GOV, PNL.GOV, and NERSC.GOV all are
members on ES.NET and want to cross authenticate using the
ES.NET realm.
o But ANL.GOV, and FNAL.GOV are also members of HEP.NET, and
would rather cross authenticate using HEP.NET rather then
ES.NET. (An example, ANL and FNAL have not discussed this.)
Also note that all subrealms of all these organizations can use
these shortcuts as well. i.e. ECT.ANL.GOV could cross
If it can figure out that to get from ANL.GOV to FNAL.GOV when
these do not share keys, by using the HEP.NET realm and not the
ES.NET realm would be a real trick.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
