Kerberos and integrated login
Douglas E. Engert
deengert at anl.gov
Thu Jan 16 11:25:13 EST 2003
Kenneth Stephen wrote:
>
> Hi,
>
> DCE (atleast IBM DCE does) provides an integrated login daemon
> which if running on a DCE client, allows a dce login to a DCE user even if
> the user is not a local user. No more duplication of userid databases -
> one just has to be defined as a user in the DCE registry. Is there an
> equivalent for Kerberos?
You might be starting to mix authentication with authorization. Kerberos
only does authenticaiton. Where as DCE is using Kerberos for
authentication, then making authorization decisions using the DCE registry
information. So there is no equivalent, as Kerberos does not maintain
an authorization database.
But there is a way to use a Kerberos ticket to get a DCE context.
We did this for years, where we would use the MIT Kerberized rlogin,
telnet, ftp and SSH programs which only do Kerberos and use the
forwarded ticket to get a DCE context for access to DFS.
The k5dcelogin and k5dcecon programs. The k5dcecon could be used
from PAM, if your operating system had PAM.
See:
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5dce.20010824.tar
>
> Thanks,
> Kenneth
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list