Kerberos and integrated login

Luke Howard lukeh at PADL.COM
Thu Jan 16 01:11:42 EST 2003


Kenneth,

Most Kerberos servers are authentication-only servers: they do not
store the additional attributes necessary to perform authorization
under Unix, and even if they did, Unix systems generally don't pay
attention to Kerberos authorization data, so they would need to 
expose this information by some other protocol. And even if the
Unix system honoured numeric UIDs and GIDs in the authorization
data, a directory of sorts is still needed post-logon in order
to do name resolution, say, when you type "ls -al". 

The DCE security registry supported Extended Registry Attributes
(ERAs) which could be used for such information, and could be
integrated with the local Unix nameservice -- indeed, Paul
Henson's nss_dce was one of the first third-party nameservice
switch modules.

There is a moral equivalent, and that's using an integrated
authentication and directory server: Active Directory is a good
example, but one could just as easily use the LDAP backend to
Heimdal we wrote some time back along with our nss_ldap module
and pam_krb5. The backend and modules are all open source.

It's important to understand that a user's numeric user and group
IDs, along with their home directory, shell, etc, are all required
at Unix logon time, and these have to come from somewhere. Without
getting into a religious argument, storing this information along
with a user's key in a single repository offers some administrative
reward at the expense of increasing exposure should the directory
be compromised.

-- Luke

>From: Kenneth Stephen <y2kmvs at ebiz.austin.ibm.com>
>Subject: Kerberos and integrated login
>To: <kerberos at mit.edu>
>Date: Wed, 15 Jan 2003 22:01:01 -0600 (CST)
>
>Hi,
>
>	DCE (atleast IBM DCE does) provides an integrated login daemon
>which if running on a DCE client, allows a dce login to a DCE user even if
>the user is not a local user. No more duplication of userid databases -
>one just has to be defined as a user in the DCE registry. Is there an
>equivalent for Kerberos?
>
>Thanks,
>Kenneth
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>http://mailman.mit.edu/mailman/listinfo/kerberos

--
Luke Howard | PADL Software Pty Ltd | www.padl.com



More information about the Kerberos mailing list