[108] in Kerberos
Re: simpler approach to RVD-kerberos
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:29:19 1987
From jvs@ATHENA.MIT.EDU Mon Sep 29 11:16:20 1986
From: jvs@ATHENA.MIT.EDU
Date: Mon, 29 Sep 86 11:14:35 EDT
To: Saltzer, jis
Subject: Re: simpler approach to RVD-kerberos +
Cc: bitsy.mit:Krawitz@edu, bitsy.mit:Robert@edu, kerberos, rlk, rvd-info, yba
John Ostlund and I had discussed using the instance to specify an RVD server
capability; e.g. rather than passing an instance of "root" have the RVD
server recognize instances of "rvd_admin" or "rvd_oper" and then allow
the authenticated user to perform administration or operations functions.
This is a relatively clean way to use Kerberos authentication to provide
some authorization. The problems with this solution:
1. it is a temporary fix that would have to be backed out
when a real ACLS became available.
2. it does not solve the larger problem of pack access lists.
In general, I think our efforts would be best spent in creating an ACLS rather
than trying to work around its absense.
-Jim VS
