home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.kerberos
- Path: sparky!uunet!stanford.edu!ATHENA.MIT.EDU!bjaspan
- From: bjaspan@ATHENA.MIT.EDU ("Barry Jaspan")
- Subject: Re: Existing authentication mechanisms have a deficiency
- Message-ID: <9209091759.AA09057@portnoy.MIT.EDU>
- Sender: news@shelby.stanford.edu (USENET News System)
- Organization: Internet-USENET Gateway at Stanford University
- Date: Wed, 9 Sep 1992 17:59:59 GMT
- Lines: 32
-
-
- Date: Wed, 9 Sep 92 09:14:34 PDT
- From: nessett@ocfmail.ocf.llnl.gov (Danny Nessett)
-
- One could imagine a system configured so that all on-machine
- authentication requests contacted the appropriate server, say the
- Kerberos server ...
-
- Yes, that is part of what Kerberos does, for all the reasons you
- mentioned.
-
- ... my suggestion about modifying su to contact the appropriate
- server to perform authentication was along these lines.
-
- And that is *exactly* what ksu does. It uses a central authentication
- service, Kerberos, to determine the identity of a user, and then a
- local authorization service, the /.klogin file, to determine whether
- or not to allow the authenticated individual to become root on the
- local host. The /etc/passwd file is not consulted for authentication
- or authorization information.
-
- Hmmm.. Are suggesting that a modified su should request a tgt for the
- Kerberos principal root (as opposed to the Unix user root) and allow
- root access if the correct Kerberos password is provided? That's a
- possibility (given the caveats in the Kerberos FAQ question #9), but
- it seems much less flexible to define one "root password" for all
- machines on the network instead of allowing each machine to specify
- its own set of "root users".
-
- In short, I do not understand what you think should be changed.
-
- Barry
-
