about step-by-step guide to Kerberos 5 Interoperability

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Jun 7 11:37:00 EDT 2004 

Adding the user to the local machine database is not about
authentication but authorization.  Once the machine has identified
that I am jaltman at ATHENA.MIT.EDU it needs to know whether or not
there is an account into which jaltman at ATHENA.MIT.EDU is allowed
to access.

Jeffrey Altman

Lara Adianto wrote:

> Thanks, that's a very clear explanation !
> But I still can't understand why I should add the user
> to the local machine as well. When the server (the
> local machine) does AP-REQ processing, it doesn't need
> the username right ? The server only needs to compare
> the username in the authenticator and the ticket and
> see if the two of them match...Correct me if i'm
> wrong.
> 
> -lara-
> 
> --- Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> 
>>Lara Adianto wrote:
>>
>>>1. ksetup /setmachpassword password
>>>If we don't do this, the user can't login although
>>
>>on
>>
>>>the KDC site, it seems that AS-REQ is being
>>
>>granted.
>>
>>>Why ?
>>>
>>>2. Why do I need to add the user in the local
>>
>>machine
>>
>>>(windows) in order for it to be able to
>>
>>authenticate
>>
>>>to MIT KDC, although actually the username (or the
>>>principal in this case) is already added in the
>>
>>KDC ?
>>
>>If pre-authentication is not being used it is
>>possible
>>for anyone to obtain a TGT for any principal, all
>>you
>>must do is ask the KDC for one and it will send it.
>>The TGT is encrypted in the long term key of the
>>principal
>>and it is assumed that only the individual that
>>knows
>>that long term key can decrypt it.  (naive
>>assumption
>>which is why pre-authentication should be required.)
>>
>>The machine you are logging into does not know
>>whether
>>or not pre-authentication was used to obtain the
>>TGT.
>>The user who obtains the TGT must authenticate
>>herself
>>to the machine.  This requires an AS_REQ exchange in
>>order to obtain a service ticket authenticating the
>>user principal to the machine.  Simply obtaining the
>>Service Ticket does not prove authentication.  The
>>machine must be able to decrypt it and perform a
>>mutual authentication proof using the knowledge
>>provided within.
>>
>>the ksetup set machine password command performs the
>>windows equivalent of providing a keytab on Unix. 
>>It
>>gives the machine access to its long term key so
>>that
>>it is capable of decrypting the service ticket the
>>user
>>will present during an authentication at login.
>>
>>Jeffrey Altman
> 
> 
> 
> =====
> ------------------------------------------------------------------------------------ 
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                         - Guy de Maupassant -
> ------------------------------------------------------------------------------------
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> Friends.  Fun.  Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/ 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list