[234] in Zephyr Mailing List
Re: Interrealm support issues
daemon@ATHENA.MIT.EDU (E. Jay Berkenbilt)
Wed Jan 1 21:49:19 1997
Date: Wed, 1 Jan 1997 21:44:36 -0500
From: "E. Jay Berkenbilt" <ejb@ql.org>
To: ghudson@MIT.EDU
Cc: zephyr@MIT.EDU
In-Reply-To: <199701011042.FAA10652@the-light-fantastic.MIT.EDU> (message from
Greg Hudson on Wed, 1 Jan 1997 05:42:25 -0500)
I have two comments, but both have been mentioned by either you or
Derek. One is the issue of deducing Zephyr realms from Kerberos
realms. You mention that no one tries to equate AFS realms with
Kerberos realms. In fact, this was done at one time, and we had to
change the code before we could really start using AFS at Athena. In
the early days, CMU used AFS for everything, and the kerberos server
was essentially part of AFS. (Phooey. I seem to have forgotten the
details. I want to say the server was called kasserver or kaserver
and that the client was called kas, but I'm really not sure this is
right.) There was even a bug that the bosserver (or is that boserver?
I forget that too) would check for the validity of kerberos tickets
without checking the realm so that you could create afs.whatever keys
in a realm that shared keys with athena.mit.edu to break into Athena's
AFS servers by using bos exec to add a line to /.klogin... Inferring
the zephyr realm from the Kerberos realm is probably a Very Bad Thing
and will probably have to be undone if interrealm zephyr ever really
starts being used. (A less important issue is that setting up baby
test zephyr realms is harder if you have to mess around with setting
up a kerberos realm and exchanging keys too.) I've been away from
this stuff too long to remember off hand what the exact issues are
also in terms of deciding what credentials are needed for a zephyr
server to trust another zephyr server in the same realm or for
interrealm communication among servers, or even for a client in one
realm to authenticate to a server in another. I suppose the right
answer is to use some kind of name service (including possibly a
configuration file) to map zephyr realms to kerberos realms...
The other issue is that of using zephyr through a firewall. I don't
know the zephyr protocol at all, so I can't speak with too much
authority on this, but interrealm zephyr certainly would increase the
desirability of being able to run kerberos and zephyr over a firewall.
It would be nice to be able to zwrite user@companya.com from
companyb.com when both networks are behind separate firewalls. This
shouldn't, perhaps, be a driving factor, but hopefully
design/implementaiton decisions concerning interrealm support should
not preclude eventual support of this idea....
--
E. Jay Berkenbilt (ejb@ql.org) | Member, League for Programming Freedom
http://www.ql.org/q/ | lpf@uunet.uu.net, http://www.lpf.org
