[7689] in Kerberos
Re: Cross-realm authentication
daemon@ATHENA.MIT.EDU (Paul A Vixie)
Sun Jul 28 14:24:18 1996
To: kerberos@MIT.EDU
Date: 28 Jul 1996 08:42:17 GMT
From: vixie@vix.com (Paul A Vixie)
Sean Fagin reminded me that it's "krbtgt" not "rcmd". I should have
checked what I'd done and not relied upon my memory of doing it.
In article <VIXIE.96Jul27232857@wisdom.vix.com> vixie@vix.com (Paul A Vixie) writes:
Path: vixie!nnrp.vix.com!vixie
From: vixie@vix.com (Paul A Vixie)
Newsgroups: comp.protocols.kerberos
Date: 28 Jul 1996 06:28:57 GMT
Organization: Vixie Enterprises
Lines: 34
References: <4t3e20$dbs@charnel.ecst.csuchico.edu>
NNTP-Posting-Host: wisdom.home.vix.com
> Help Please!
With the help of several Kerberos wizards, I finally learned about K4
cross-realm authentication recently. It's so simple it's embarrassing
that someone had to explain it to me.
In the NET.CSUCHICO.EDU realm, add this principal:
principal: rcmd
instance: ECST.CSUCHICO.EDU
password: SharedSecret
In the ECST.CSUCHICO.EDU realm, add this principal:
principal: rcmd
instance: NET.CSUCHICO.EDU
password: SharedSecret
You don't have to use "SharedSecret" -- anything will do as long as it's
the same password both times. I moused in some line noise which I will
never remember, since I don't care to remember it.
That's _IT_. On a system whose srvtab and krb.conf files make it part of
either of the above realms, you can put things into ~/.klogin containing
ticket names in either of the above realms. krb.cont and krb.realms have
to list servers and domain bindings for both realms, too.
It doesn't work for ~root/.klogin (used by "su" on BSD/OS) but that's as
it should be, in my humble opinion.
--
Paul Vixie
La Honda, CA "Illegitimibus non carborundum."
<paul@vix.com>
pacbell!vixie!paul
--
Paul Vixie
La Honda, CA "Illegitimibus non carborundum."
<paul@vix.com>
pacbell!vixie!paul
