[106] in Kerberos
Re: simpler approach to RVD-kerberos
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:29:06 1987
From jis@BITSY.MIT.EDU Sun Sep 28 10:57:57 1986
Date: Sun, 28 Sep 86 10:57:07 EDT
From: jis@BITSY.MIT.EDU (Jeffrey I. Schiller)
To: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
Cc: rlk@ATHENA.MIT.EDU, Robert L. Krawitz <rlk@ATHENA.MIT.EDU>,
kerberos@ATHENA.MIT.EDU, rvd-info@ATHENA.MIT.EDU, yba@ATHENA.MIT.EDU
Subject: Re: simpler approach to RVD-kerberos +
I agree with RLK. If we don't provide a way for users to
exchange information, short of exchanging their login passwords, they
WILL exchange their login passwords.
This wouldn't be so bad except that I feel it establishes a
bad precedent that would be hard to change later, once ACL service is
available. How hard would it be to code in the password setting code
on the database server on hector (setup so that anyone with kerberos
authentication as the owner can diddle the passwords)?
On another topic: Operations and Maintenance of RVDs.
I have been chomping over in my mind a proposal for quite some
time. I haven't said anything yet because I feel it is "unclean" and
fuzzes the boundary between AUTHENTICATION and AUTHORIZATION... a
boundary that I was an ardent supporter of!
Begin suggest-a-kludge mode (until an ACL service lives):
Currently each service machine resides within a kerberos
realm, and each service can find out its realm with a kerberos library
call.
Each kerberos principal has a name that consists of two
components. a "name" and an "instance". For humans registered in the
database the "name" is their login name and their "instance" is NULL.
Some few of us also have a different "principal" (with its own
password). This principal has our login names as our "name" and the
string "root" as our instance. Certain services know to grant certain
(listed) people "super-user" access as long as their "root" instances
are used to authenticate their requests. We only get tickets for
services with our "root" instances if we intend to do super-userish
sort of things. In this way our normally logged in terminal is not a
gateway to the world for some intruder.
Note: everything in the above paragraphs is already implemented.
I propose generalizing this mechanism of "root" instance
trusting so that all who come calling with a "root" instance are
trusted as the super-user. We then only allow certain individuals to
have "root" instances. Therefore in place of the RVD operations
password any "root" instance from a realm equal to the realm of the
server is permitted to do RVD system control operations, and the
"name" field of the authentication is logged in the RVD log. When an
individual no longer needs root access (ie. he no longer works for
Athena) his root instance can be decommisioned without effecting his
normal NULL instance.
End suggest-a-kludge mode;
-Jeff
