[6570] in Kerberos
Re: Authentication Only ?
daemon@ATHENA.MIT.EDU (Stephen C. Trier)
Fri Feb 2 12:05:25 1996
From: trier@odin.INS.CWRU.Edu. (Stephen C. Trier)
Date: Fri, 2 Feb 1996 11:56:54 +0000
In-Reply-To: choward@staff1.lib.iastate.edu (Chris Howard)
"Authentication Only ?" (Feb 1, 7:38pm)
To: choward@staff1.lib.iastate.edu (Chris Howard), kerberos@MIT.EDU
Yes, you can do that. You can accept a plaintext password with the
standard HTTP authentication protocol, check it against Kerberos, then
serve the data. I do that here. The drawback is that it uses Kerberos
as no more than a shadow password system, introducing all of the risks
of plaintext passwords. That said, it does the job!
The simplest way to do it is to see if you can get a TGT for the user.
This is easy to implement, requires no changes on the kerberos server.
However, it is vulnerable to attacks that flood the web server with
forged TGT replies.
A better solution is to get the TGT, then use the TGT to get an rcmd
ticket for the local host. This defends against the forged-TGT-reply
attack, but it may require some cooperation from the Kerberos
administrator, depending on your site Kerberos policies.
Remember to destroy the TGT ASAP after authenticating the user!
Your site policy may indicate that sending plaintext passwords over the
network is unacceptable. In that case, you will have to find a
Kerberos-aware web browser. :-(
Stephen
--
Stephen Trier
trier@ins.cwru.edu
KG8IH
