[7444] in Kerberos
Re: DCE and terminal servers
daemon@ATHENA.MIT.EDU (Chris Cowan)
Mon Jun 10 15:17:41 1996
To: kerberos@MIT.EDU
Date: 10 Jun 1996 13:47:04 -0500
From: cc@mantis.austin.ibm.com (Chris Cowan)
Reply-To: cc@austin.ibm.com
>>>>> "Rich" == Rich Salz <rsalz@osf.org> writes:
Rich> In <4mvnp2$kde@news.fsu.edu> houle@zeppo (Art Houle) writes:
>> Multiple other
>> terminal server vendors also support kerberos but to my knowledge none
>> support DCE.
Rich> You will probably be able to use your DCE security server as your Krb5
Rich> server. OSF has never tested this, but the Kerberos code is there and
Rich> at least some folks have it working. This will be tested and "guaranteed"
Rich> in DCE 1.2.2.
I have been able to authenticate our Xyplex terminal server off of an
IBM DCE 2.1 Registry. The details were posted by Jeff Earickson to
comp.soft-sys.dce in Nov 1995. However, changing passwords from the
Term Server using the normal K5 protocol doesn't quite work right.
This causes a few minor annoying problems:
- Some users have very little interaction with DCE and will probably
exclusively use the Term Server interface for passwd maint.
- There's a bit of a boot strapping problem. Obviously, you would want
a policy to enforce passwd resets, strength, etc. If I were an operations
person trying to get in and my password expired, I wouldn't be able to
reset.
>> Please correct me if wrong, but kerberos only authenticates, does not
>> authorize and also uses the TCP/IP wire protocol. DCE however does both
>> authentication and authorization and uses RPC on UDP (?) to exchange packets.
Rich> I assume the Kerberized terminal server maps the krb-provided name as an
Rich> index into the terminal server's authorization database.
>> Any suggestions for a terminal server that can integrate in the DCE
>> environment is greatly apreciated.
Rich> Short answer: any Kerberos server will probably "just work."
Rich> /r$
BTW, I am anxiously awaiting the DCE 1.2.2 functionality for K5 transparency.
--
Chris Cowan
ISSC (DCE/DSM Architecture)
-------------------------------------------------------------------------
Phone: 512-823-0113 FAX: 512-823-0727
--
"Writing about music is like dancing about architecture."
Thelonious Monk
