home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.kerberos
- Path: sparky!uunet!stanford.edu!OCFMAIL.OCF.LLNL.GOV!nessett
- From: nessett@OCFMAIL.OCF.LLNL.GOV (Danny Nessett)
- Subject: Existing authentication mechanisms have a deficiency
- Message-ID: <9209082303.AA10434@ocfmail.ocf.llnl.gov>
- Sender: news@shelby.stanford.edu (USENET News System)
- Organization: Internet-USENET Gateway at Stanford University
- Date: Tue, 8 Sep 1992 23:03:34 GMT
- Lines: 25
-
-
-
- It seems to me, after the discussion about su, ksu, etc., that something is
- missing from existing distributed authentication mechanisms. I am not picking
- on Kerberos here, since I think the criticism is valid for other systems, such
- as SPX. What I mean is this.
-
- If an organization wants to keep its authentication data in exactly one place,
- existing authentication mechanisms are insufficient. As Chuck Athey has pointed
- out, you need at least an entry for root in /etc/passwd for the system to
- be administered and integrated into a Kerberos realm. This means two sources
- of authentication data must be maintained, one in the system's /etc/passwd
- file (or some surrogate such as a yp database) and one in the Kerberos
- database.
-
- In order to keep all authentication data in one place, there needs to be
- a suid root routine on each machine that accepts a user id and password from
- a directly connected terminal, requests the appropriate credentials from
- the Kerberos server (or SPX CDC server, etc) and executes the appropriate
- authentication test. This same suid root routine could be used by a modified
- su utility or by any other program that wants to do on-machine authentication.
-
-
- Dan Nessett
-
-
