[6579] in Kerberos
Re: Authentication Only ?
daemon@ATHENA.MIT.EDU (John Brezak)
Fri Feb 2 18:28:02 1996
Date: Fri, 02 Feb 1996 17:15:12 -0500
To: trier@odin.INS.CWRU.Edu (Stephen C. Trier)
From: John Brezak <brezak@apollo.hp.com>
Cc: Jon Roma <roma@uiuc.edu>, kerberos@MIT.EDU
At 03:50 PM 2/2/96 +0000, Stephen C. Trier wrote:
>OK, there's another technique I've thought about. This one is ugly,
>though:
>
>Put a proxy server on every client machine. Make this server accept
>connections only on the loopback address. It accepts (nominally)
>insecure connections from a local client, then does Secure, Real
>Kerberos Authentication(tm) to a Kerberos-aware HTTP server on the net.
>
>This would be slower than a direct connection because of the extra data
>copies, but it would satisfy those who don't like seeing plaintext
>passwords on the net. Since the insecure connection is made on the
>loopback interface, plaintext passwords, if any, would not leave the
>machine.
>
>Implementation is left as an exercise for the reader. :-) If anyone
>writes or knows of a kerberizing proxy server like this, I'd love a
>copy...
Check out the OSF/RI's DCE Web project. They do this very thing.
http://www.osf.org/www/dceweb/DWTech.html#Wafer
If you get one of these for kerberos (4/5) auth, I'd like a copy...
