[102] in Kerberos
re: knetd
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:28:33 1987
From spm@ATHENA.MIT.EDU Mon Sep 22 21:36:43 1986
To: kerberos
Subject: re: knetd
Date: Mon, 22 Sep 86 21:30:16 -0500
From: Steve Miller <spm@ATHENA.MIT.EDU>
After being away for a week, I read all the notes re knetd.
I agree with Jerry's goals of minimizing new well known ports and
the disruption to existing protocols.
Knetd could clearly address the new ports issue simply, while not
requiring any extra tables (other than the knetd) on the server.
From there, I am in closest agreement with Jeff, that is, embed
the existing rd_ap_req() in the Kerberos versions of the protocols.
As far as relative security is concerned:
a) If you have root access to a server, all bets are off regardless
of whether or not Kerberos is involved, extra tables are involved,
etc.
b) A two-stage approach, where you first authenticate to knetd,
then invoke "is_this_one_ok()" is somewhat less secure, in that
you have opened a time window for impersonation of the client.
Steve.
