[241] in Zephyr Mailing List
Re: Interrealm support issues
daemon@ATHENA.MIT.EDU (Derek Atkins)
Fri Jan 3 10:46:52 1997
To: Greg Hudson <ghudson@MIT.EDU>
Cc: Derrick J Brashear <shadow@DEMENTIA.ORG>, zephyr@MIT.EDU
From: Derek Atkins <warlord@MIT.EDU>
Date: 03 Jan 1997 10:44:22 -0500
In-Reply-To: Greg Hudson's message of Fri, 03 Jan 1997 10:22:07 EST
Greg Hudson <ghudson@MIT.EDU> writes:
>
> > Currently, zephyr assumes that these two "realms" (the recipient
> > principal realm and the zephyr kerberos realm) are the same.
>
> Unless I'm confused, I think this is wrong. Both the sender and the
> recipient have Kerberos realms associated with them, which are
> independent of the server's Kerberos realm. If the above statement
> were true, marc@cygnus.com or shadow@andrew.cmu.edu would have
> difficulty receiving authentic zephyr notices.
It depends on whether you are talking about the sending side or the
receiving side. From the *sending* side, the receipient principal
realm and the zephyr kerberos realm are assumed to be the same. With
an unhacked client, it automatically authenticates to the local realm
and sends the messages to the local realm. So, sending a message to
marc@cygnus.com from a standard Athena client would authenticate to
zephyr.zephyr@ATHENA.MIT.EDU and send it to the Athena z-servers.
From the receiving side, there really isn't any assumption at all.
The current (single realm) code assumes that it is only talking to one
server. I made a slight change which assumed that zephyr kerberos
realm == sender's principal realm. Marc fixed this to look at the
z-server IP address and do a krb_realmofhost() on that address to
attempt to find the z-server kerberos realm, which works more often.
With the default clients, no interrealm messages can be authentic at
all. With my hacked zwrite, one can *send* an authentic inter-realm
message (which is received by all in the remote realm as authentic).
It assumes that the receipient principal realm (or *@realm) is the
zephyr realm, and assumes the zephyr realm == zephyr kerberos realm.
Receiving messages from the remote realm is still unauthentic with the
standard zwgc. With *my* hacked zwgc, I could receive authentic
messages from remote realms only from people within that realm;
messages I sent to that realm came back to me unauthentic (well,
forged). Marc changed zwgc to use krb_realmofhost(); so long as that
is correct, it will DTRT and received messages will show up as
authentic.
I wont comment on the principal.instance@kerberosrealm/zephyrrealm
hack.
-derek
