Kerberos and integrated login

Douglas E. Engert deengert at anl.gov
Thu Jan 16 11:25:13 EST 2003


Kenneth Stephen wrote:
> 
> Hi,
> 
>         DCE (atleast IBM DCE does) provides an integrated login daemon
> which if running on a DCE client, allows a dce login to a DCE user even if
> the user is not a local user. No more duplication of userid databases -
> one just has to be defined as a user in the DCE registry. Is there an
> equivalent for Kerberos?

You might be starting to mix authentication with authorization. Kerberos
only does authenticaiton. Where as DCE is using Kerberos for
authentication, then making authorization decisions using the DCE registry
information. So there is no equivalent, as Kerberos does not maintain
an authorization database. 

But there is a way to use a Kerberos ticket to get a DCE context. 
We did this for years, where we would use the MIT Kerberized rlogin,
telnet, ftp and SSH programs which only do Kerberos and use the 
forwarded ticket to get a DCE context for access to DFS. 

The k5dcelogin and k5dcecon programs. The k5dcecon could be used 
from PAM, if your operating system had PAM. 
 
See:
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5dce.20010824.tar
 

> 
> Thanks,
> Kenneth
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444



More information about the Kerberos mailing list