[96] in Kerberos
Re: knetd
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:25:56 1987
From Saltzer@ATHENA.MIT.EDU Thu Sep 18 16:58:06 1986
Date: Thu, 18 Sep 86 16:54:11 EDT
Subject: Re: knetd
To: wesommer@ATHENA.MIT.EDU
Cc: saltzer@athena.mit.edu, kerberos@athena.mit.edu
In-Reply-To: wesommer@ATHENA.MIT.EDU's message of Thu, 18 Sep 86 15:34:39 -0500
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
Originating-Client: <E40-391A-1.MIT.EDU>
oops. obviously.
Back to the original proposal:
1. knetd swallows the authenticator and places in /etc/ a
root-writeable-anyone-readable table that lists (user identity,
service, ip address, expiration time) 4-tuples that have been
authenticated.
2. knetd invokes the appropriate server. The server runs what it
thinks is the standard protocol with the client.
3. When the client declares its claimed identity via the standard
protocol, the server asks is_this_one_ok by calling a subroutine that
looks to see if the claimed identity is actually in the table.
I think that may help remove the need for server to make sure they
are invoked by root processes. (Instead, they probably need check to
make sure that the table is still writeable only by root!)
Jerry
