[116] in Kerberos
Re: a different proposal for authori
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:30:21 1987
From Saltzer@ATHENA.MIT.EDU Tue Oct 14 23:51:48 1986
Date: Tue, 14 Oct 86 23:48:18 EDT
To: <jg@ATHENA.MIT.EDU>
Subject: Re: a different proposal for authorization, etc.
Cc: miller%erlang.DEC@decwrl.dec.com, kerberos@ATHENA.MIT.EDU,
watchmakers@ATHENA.MIT.EDU, developers@ATHENA.MIT.EDU
In-Reply-To: <jg@ATHENA.MIT.EDU>'s message of Tue, 14 Oct 86 18:41:50 EDT
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
Originating-Client: <Saltzer-PC>
> I note that the X server is one of the type that Steve describes, and
> yes, it would be very painful to recode to not block on doing the
> authorization... In addition, when you run a program to your
> display, you would really like it to be able to start quickly....
Good point. However this one may be salvageable within a general
framework of having the server responsible for authorization
decisions. The X server is a good example of a service that almost
certainly can get along without the need for shared membership lists.
Suppose that the xhost mechanism is replaced with a simple check by
the x server of a locally-stored list of (Kerberos-authenticated)
users who are permitted to open windows. That would probably require
opening a file--perhaps only at X startup time--but no block awaiting
some network service to respond.
Another way to attack it is to observe that the one thing that needs
to go as fast as possible is figuring out that the window is being
opened by the workstation user from another host. If that case goes
fast perhaps the less frequent but more general case of a stranger
opening a window can be slower.
Here is a question for the Kerberos/rlogin crowd. If I am
Kerberos-authenticated at my workstation, and I rlogin or rsh to
another machine successfully, what (if anything) can my process at
the other machine do to short-cut the full-bore Kerberos ticket
acquisition mechanism when opening commerce with my workstation?
Superficially, the X client code at the other host is going to have
to go to Kerberos to get an X server ticket enciphered in my own
private key so that my workstation will accept it; but my workstation
could have provided that ticket as well. Any ideas on how to get
this out-and-back authentication to go cheaply? (Without
accidentally permitting anyone else logged in on the same
time-sharing system to open a window, too.)
Jerry
