[119] in Kerberos
re: authentication forwarding; X ser
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:30:42 1987
From Saltzer@ATHENA.MIT.EDU Thu Oct 16 12:28:38 1986
Date: Thu, 16 Oct 86 12:26:07 EDT
To: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller)
Subject: re: authentication forwarding; X servers
Cc: kerberos@athena.mit.edu (Distribution list @KERB)
In-Reply-To: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller)'s message of 15-Oct-1986 1518
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
Originating-Client: <E40-391A-1.MIT.EDU>
> A user logging into a workstation is in a perfect position to
> securely distribute a session key to the server, i.e. the X server on
> the workstation, and the client, i.e. themself! For example, the
> user could use their own password as the temporary X server master
> key, and construct their own ticket for the X service automatically
> at login time!
This is clearly the right direction to go for X authentication. I
don't like the idea of using the user's own password, which otherwise
doesn't need to remain around on the workstation. But for
self-authentication any randomly-generated key will do just fine.
The obvious one to use is the session key obtained in the initial
Kerberos encounter.
The main problem underlying this direction is mechanical: the current
mechanism for rsh and rlogin isn't equipped to pass environment
information, such as display location and, with this proposal,
authenticators.
Jerry
