[1588] in Kerberos_V5_Development
Re: ftpd should allow protection to be required
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Aug 15 18:14:56 1996
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: brlewis@MIT.EDU, Sam Hartman <hartmans@MIT.EDU>, krbdev@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 15 Aug 1996 18:14:31 -0400
In-Reply-To: "Theodore Y. Ts'o"'s message of Thu, 15 Aug 1996 14:07:11 -0400
>>>>> "Theodore" == "Theodore Y Ts'o" <tytso@MIT.EDU> writes:
Theodore> This is more of an implementation issue. Of course, the
Theodore> functionality that you really want isn't really an
Theodore> AUTHENTICATION option, but rather a
Theodore> SESSION-KEY-ESTABLISHMENT option for the purposes of
Theodore> making encryption option.
Theodore> Using Kerberos V5, there's a much simpler solution to
Theodore> the problem; we can just forward the V5 credentials to
Theodore> the remote machine as part of the telnet authentication.
Theodore> That way, you have remote tickets on the server without
Theodore> requiring the user to type her password over again. In
Theodore> order to get AFS tokens, we'll have to take the V5
Theodore> tickets and get them converted to use V4 tickets, using
Theodore> krb524d, but that's only a little bit extra work.
This works only if you want to use Kerberos authorization.
There was a situation wdc brought up with regard to the libraries
where you actually wanted to establish an encrypted session then use a
different authorization mechanism--at the time, I think it was
everyone is authorized or something like that. The telnetd man page
stronly implies you can do this, but you can't.
Theodore> I have a UROP student working on doing exactly this for
Theodore> the V5 ftpd, for the Athena dialup ftp service.
In the Changelogs from the MIT release for the Cygnus Kerberos
installed here at Parc, it looks like they have already implemented
this. Have you already checked to make sure we can't get code from
them?
Theodore> - Ted
