Kerberos and integrated login
Kenneth Stephen
y2kmvs at ebiz.austin.ibm.com
Thu Jan 16 11:57:52 EST 2003
On Thu, 16 Jan 2003, Douglas E. Engert wrote:
>
>
> Kenneth Stephen wrote:
> >
> > Hi,
> >
> > DCE (atleast IBM DCE does) provides an integrated login daemon
> > which if running on a DCE client, allows a dce login to a DCE user even if
> > the user is not a local user. No more duplication of userid databases -
> > one just has to be defined as a user in the DCE registry. Is there an
> > equivalent for Kerberos?
>
> You might be starting to mix authentication with authorization. Kerberos
> only does authenticaiton. Where as DCE is using Kerberos for
> authentication, then making authorization decisions using the DCE registry
> information. So there is no equivalent, as Kerberos does not maintain
> an authorization database.
>
> But there is a way to use a Kerberos ticket to get a DCE context.
> We did this for years, where we would use the MIT Kerberized rlogin,
> telnet, ftp and SSH programs which only do Kerberos and use the
> forwarded ticket to get a DCE context for access to DFS.
>
> The k5dcelogin and k5dcecon programs. The k5dcecon could be used
> from PAM, if your operating system had PAM.
>
> See:
> ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5dce.20010824.tar
>
Doug,
Thanks for the explanation. I dont know if you know this but the
DCE source code is available for download at the OpenGroup ftp site, and
the security server code does have an implementation of k5dcelogin in it
(havent checked for k5dcecon). Thanks for the pointers.
Kenneth
More information about the Kerberos
mailing list