[6573] in Kerberos
Re: Authentication Only ?
daemon@ATHENA.MIT.EDU (Everette Gray Allen)
Fri Feb 2 13:56:06 1996
Date: Fri, 2 Feb 1996 13:39:54 -0500
To: "Donald T. Davis" <don@cam.ov.com>,
choward@staff1.lib.iastate.edu (Chris Howard)
From: Everette_Allen@ncsu.edu (Everette Gray Allen)
Cc: kerberos@MIT.EDU, www-kerberos@lists.Stanford.EDU
Folks,
Two comments:
1) I have been just this week reading the spec for Netscape plugins. Now
the intent is to use mime types which have not been invented when netscape
was installed...however the spec eludes to being able to override
functionality of exsisting mime types. This leads me to wonder if a
netscape kerberos plugin could be made with would wait for the "401
authentication required" and manipulate the mime x-www authentication
headers from calls to umich krb95 on pc and macleland on the mac??
Maybe someone with more programming experience than Hello World could look
at the netscape spec and tell us if this is doable or if I have mis-read
between the lines??
2) This problem could be attacked by authentication out-of-band. For
example if the web server used a cgi bin which would get the request, grab
the sending clients info and make a call back for the sgt out-of-band from
the http stream to the requesting machine. Some folks at Stanford have
already been playing with such a cgi. They may have more to report. In
theory this could work with any web client and any browser on any
platform...as long as there is some "kerberos client" on the machine to
answer the callback.
At 12:23 PM 2/2/96, Donald T. Davis wrote:
>iowa state's chris howard wrote:
>> Is there some way we can use Kerberos only for [web] authentication?
>> We don't want to require that users have a Kerberos enabled browser
>> (because there aren't any for PC or Mac).
Actually there are a few kerberos enabled browsers , NCSA's Mac version 3.x
will be, MacWeb has their own Mac and Windows, and Stanford did a mod of
MacMosaic 2.3 to work with Columbia's kerb V4 mod of NCSA httpd.
>
>mr. howard,
>i'm sorry to tell you that you can't use krb
>without krb clients, and you can't use it
>without tickets in any secure way. but, you
>can ignore the encryption keys, once you've
>authenticated the user, if you really want to.
>
>there is a kerberos-capable mosaic browser
>& server; you should contact adam cain. i've
>appended a message from him, about a web-site
>and a mailing-list pertaining to his kerberized
>web stuff.
>
>i don't know whether his code supports pc's
>and macs, but given that freeware krb for
>win95 & nt just became available from u. mich,
>i expect that cain's code will support those
>operating systems soon. krb for windows has
>been out for a while. i've appended umich's
>announcement, below cain's.
>
> -don davis, boston
> former athena staff
>------------------------------------------------------------------
>
>Date: Tue, 27 Jun 95 14:35:48 CDT
>From: acain@ncsa.uiuc.edu (Adam Douglas Cain)
>To: www-kerberos@lists.Stanford.EDU
>Subject: new kerberized web page (pseudo-FAQ)
>
>Hello WWW-Kerberosees!
>
>I've updated the web page describing the nature, history and status of the
>Web Kerberization work. It can be found at
>
> http://snapple.ncsa.uiuc.edu/adam/khttp/intro.html
>
>Perhaps this page, along with the few pages it points to, could be put on
>the www-kerberos archive.
>
>Please let me know if you have any suggestions or new info for this page.
>
> Adam
>
>-------------------------------------------------------------------
>To: kerberos@MIT.EDU
>Date: Tue, 30 Jan 96 17:31:36 GMT
>From: kerb95@umich.edu
>Organization: University of Michigan - ITD
>Subject: Announcing an implementation of Kerberos for Windows95/NT
>
> Hello,
>
> There is now available for anonymous FTP an implementation of
> Kerberos for Windows 95 and NT.
>
> You may obtain the beta DLLs, LIBs, header files, and unfinished
> documentation (postscript), along with a ticket manager (also beta)
> from us via the following URL:
>
> ftp://terminator.rs.itd.umich.edu/win/Kerb95
>
> The source will be made available once the final release has been
> issued.
>
> This implementation of Kerberos does not follow the MIT API, nor
> does it use any of of the MIT source. It is strictly Win32 code that
> takes advantage of Win32 features found in Windows 95 and NT. (Win32s
> on Windows 3.1, 3.11, and 3.11WFG is not supported.)
>
> Here is a short list of features:
>
> Uses the Windows Registry for Kerberos information.
>
> Allows multiple identities to be used simultaneously.
>
> Supports password changing.
>
> Allows selective deletion of tickets.
>
> The ticket cache is kept in a memory mapped file and not
> stored on disk.
>
> 'Canned' dialogs that applications may use for authentication,
> password changing, and host/realm modifications.
>
> Unicode and ASCII versions of each API call that takes a string
> parameter.
>
> Also the API calls have a version parameter to specify which version
> of Kerberos to use. But at this time only Kerberos version 4 is
> recognized. Version 5 support will be added later.
>
> To insure that the final release is complete, we would like to hear
> comments on this API. Please feel free to send them to
> kerb95@umich.edu.
>
> Thank You.
Everette Gray Allen Consultant III
Box 7109 NCSU Campus NCSU Computing Center
Raleigh, NC 27695-7109 919-515-2517
