Kerberos and integrated login

Douglas E. Engert deengert at anl.gov
Thu Jan 16 12:33:02 EST 2003 

I have not touched DCE is a few years, as we turned it off. It never
caught on. DFS was the only real application, but we had and still have AFS.
I know DCE picked up k5dcelogin. It which must be exec'ed between 
the daemon, like rlogind and the user shell, so as to keep the PAG
in the same process. It does not work with FTP. The k5dcecon could be 
run as a sub process, as long as the PAG could be set by the parent. 
(Sharing of DCE libs, Kerberos libs, threads etc. forced this separation.)

You will note AFS is still around. One reason I think it is 
is that one can separate the authentication from the authorization. AFS 
has its own authorization database, the PTS. All you need is a an AFS token, 
to authenticate to AFS.  This authentication can be done by a number
of different means: the built in Kerberos V4 AFS code (which is being updated
to K5); a Kerberos V5 aklog to krb524d which could be using the DCE secd K5 support;
gssklog using Kerberos GSS, or even gssklog using the Globus SSL/X509 certificate
based GSI.

This works well as the authentication is done a a global level, where as
the authorization is done at a lower level. The realms/cells/domains 
for authentiction and authorization do not have to coincide. 
 

Kenneth Stephen wrote:
> 
> On Thu, 16 Jan 2003, Douglas E. Engert wrote:
> 
> >
> >
> > Kenneth Stephen wrote:
> > >
> > > Hi,
> > >
> > >         DCE (atleast IBM DCE does) provides an integrated login daemon
> > > which if running on a DCE client, allows a dce login to a DCE user even if
> > > the user is not a local user. No more duplication of userid databases -
> > > one just has to be defined as a user in the DCE registry. Is there an
> > > equivalent for Kerberos?
> >
> > You might be starting to mix authentication with authorization. Kerberos
> > only does authenticaiton. Where as DCE is using Kerberos for
> > authentication, then making authorization decisions using the DCE registry
> > information. So there is no equivalent, as Kerberos does not maintain
> > an authorization database.
> >
> > But there is a way to use a Kerberos ticket to get a DCE context.
> > We did this for years, where we would use the MIT Kerberized rlogin,
> > telnet, ftp and SSH programs which only do Kerberos and use the
> > forwarded ticket to get a DCE context for access to DFS.
> >
> > The k5dcelogin and k5dcecon programs. The k5dcecon could be used
> > from PAM, if your operating system had PAM.
> >
> > See:
> > ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5dce.20010824.tar
> >
> Doug,
> 
>         Thanks for the explanation. I dont know if you know this but the
> DCE source code is available for download at the OpenGroup ftp site, and
> the security server code does have an implementation of k5dcelogin in it
> (havent checked for k5dcecon). Thanks for the pointers.
> 
> Kenneth

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list