[2807] in Kerberos
Cross Realm Operation V5
daemon@ATHENA.MIT.EDU (Joe Ramus)
Fri Sep 10 18:39:03 1993
Date: Fri, 10 Sep 93 15:26:35 PDT
From: ramus@nersc.gov (Joe Ramus)
To: kerberos@Athena.MIT.EDU
I have The Internet Draft dated 21 April 1993 by Kohl & Neuman which
specifies the Kerberos 5 protocol. Section 1.1 talks about
Cross-Realm Operation and inter-realm keys. It is not obvious to me
how to actually do this.
As a simple case, suppose I have a parent & child realm which are
managed by different people at different sites. But they trust each
other. Assume the realm names are:
top.dog and pup.top.dog
In the KDC for top.dog, I have:
krbtgt/top.dog@top.dog
krbtgt/pup.top.dog@top.dog
In the KDC for pup.top.dog, I have:
krbtgt/top.dog@pup.top.dog
krbtgt/pup.top.dog@pup.top.dog
I assume that the same key (password) must be used in both places
for krbtgt/top.dog and for krbtgt/pup.top.dog
Are there any existing applications that will use this capability?
For example, V5 telnet or rsh?
Assume that host1 lives in the top.dog realm and host2 lives in the
pup.top.dog realm. What kind of entries will I need in the file
/etc/v5srvtab on each host?
Then assume that JOE is authenticated in top.dog only and does not
exist in the pup.top.dog KDC. JOE is logged in on host1 and has a
user account on host2. Assuming the proper "dot" files in the home
directory of host2, can JOE use telnet to do an authenticated login
on host2? Can JOE use authenticated rsh to perform a task on host2?
----------------------------------------------------------------
| Joe Ramus NERSC Livermore (510) 423-8917 ramus@nersc.gov |
----------------------------------------------------------------
