home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.kerberos
- Path: sparky!uunet!stanford.edu!ksr.com!dean
- From: dean@ksr.com
- Subject: Re: New User Accounts
- Message-ID: <199209022202.AA04565@magrathea.ksr.com>
- Sender: news@shelby.stanford.edu (USENET News System)
- Organization: Internet-USENET Gateway at Stanford University
- Date: Wed, 2 Sep 1992 22:02:34 GMT
- Lines: 39
-
- Actually, I don't have to change the kerberos server (or kerberos
- libraries) at all.
-
- I only need to add some code in the login program and the kinit
- program to talk to the kerberos-securID server before it attempts to
- get tickets for the principal. (And of course implement the
- kerberos-securID server, but most of whats needed is in kadmind.)
-
- As far as distinguishing between accounts which use securID and
- accounts which don't, this isn't a problem, since kerberos still
- works the same as it always did.
-
-
- It will send the password (securely) to the kerberos-SecurID server,
- which would not be able authenticate the password, and so wouldn't
- change the password (private key).
-
-
- Hence when the principal gets the initial tickets from the kerberos
- server, he would be able to decrypt them successfully using his
- password. It would be a good idea to keep a list of those which do
- not use (or those which do use) SecurID to prevent false messages
- about authentication failures.
-
- The problem of reauthentication is definitely a tough one, though it
- is mostly due to the fact that kerberized rlogin and telnet do not
- allow you to dynamically turn encryption on and off. (It would go
- away if all rlogin/telnet sessions were encrypted, but this is
- unfortunately impractical).
-
- Having a modem (or machine on the modem) which did kerberos is
- definitely a good idea, but it still suffers from reauthentication
- problem.
-
- --Dean
-
- Dean Anderson
- KSR Computing Facilities
- Kendall Square Research
-
