[3063] in Kerberos
Inter Realm Testing
daemon@ATHENA.MIT.EDU (Doug Engert)
Fri Apr 1 17:23:51 1994
Date: Fri, 01 Apr 94 14:43:46 CST
From: "Doug Engert" <DEEngert@anl.gov>
To: <glenz@geek.ocsg.com>
Cc: <kerberos@MIT.EDU>, <auth-pilot@es.net>
Glen Zorn glenz@OCSG.COM writes:
> Doug ~
>
> With respect to inter-realm authentication, have you tested shortcut links;
> i.e., V4-style inter-realm authentication in which realms a.z and b.z share
> inter-realm keys between themselves, but not with any "higher" realm z?
>
> ~gwz
I have tried a.z to z and z to a.z but not a.z to b.z. I was
letting the walk_rtree.c code return the path for gc_frm_kdc.c to
traverse.
A simple addition to gc_frm_kdc.c could also be added to try and
take a short cut, first before calling walk_rtree.c.
walk_rtree.c walks up and down the domain name tree today, but it
could have some smarts about taking short cuts, such as when it
gets near the top of the tree, look at another configuration file
to see if two organizations have traded keys.
For example if organizations xxx.gov and yyy.gov each with many
sub realms could have a top KDC and would trade keys. or would
agree to use some service. A configurations file of the form:
realm1 realm2 realma realmb realmc ...
could be used by walk_rtree.c to add in the realma realmb realmc
path to the list returned, when it found it was trying to get
from realm1 to realm2. If there were no intermediate realms
listed, (no realma) it would mean that realm1 and realm2 had
traded keys.
For example:
ANL, NERSC, PNL are all on ES.NET, and ANL is working with HAL.COM
and is also be on BIO.NET
with NIH for example. (I use BIO.NET as an example, I don't know
it there is such as network). We all have domain names of ".gov"
If I at ANL have a configuration file of the
anl.gov nersc.gov es.net
anl.gov pnl.gov es.net
anl.gov nih.gov bio.net
anl.gov hal.com
With this approach, it would also mean that there does not have
to be that one top kerberos KDC for .gov. An organization could
pick its realm names based on something else, and could share
keys with more then one group.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
