Root Authentication

James Walthall jwaltha at us.ibm.com
Thu Mar 4 12:15:47 EST 2004


How does root authentication work with kerberos?

To my understanding, it appears as if the root user can authenticate both 
locally and on the kerberos KDC.

I have successfully been able to login onto a kerberized redhat linux 8 
machine using both the root password
established locally as well as the kerberos principle password without 
making any configuration changes between
logins.

I assume this is working as designed. Any idea how to disable the local 
logon for root while still allowing the
kerberized logon (or is this just a bad idea altogether?)

Thanks in advance!

---------------
James Walthall Jr
IBM Host Integration Server Test / HATS
Outside: (919) 254-8869
Tieline: 444-8869
Research Triangle Park
Raleigh, North CarolinaaFrom news at ra.nrl.navy.mil Thu Mar  4 20:56:18 2004
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i251uIqb029890
	for <kerberos at PCH.mit.edu>; Thu, 4 Mar 2004 20:56:18 -0500 (EST)
Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121])
	i251uGta000295
	for <kerberos at MIT.EDU>; Thu, 4 Mar 2004 20:56:16 -0500 (EST)
Received: (from news at localhost)
	by ra.nrl.navy.mil (8.11.7p1+Sun/8.11.7) id i251o5L05148
	for kerberos at MIT.EDU; Thu, 4 Mar 2004 20:50:05 -0500 (EST)
From: Russ Allbery <rra at stanford.edu>
X-Newsgroups: comp.protocols.kerberos
Date: Thu, 04 Mar 2004 17:43:08 -0800
Organization: The Eyrie
Message-ID: <87brnc9ihf.fsf at windlord.stanford.edu>
References: <3f5ba094.0403041516.1915ec69 at posting.google.com>
To: kerberos at MIT.EDU
Subject: Re: WebISO: the killer kerberos app?
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Fri, 05 Mar 2004 01:56:18 -0000

Christopher Kranz <clk at princeton.edu> writes:

> I've been looking into a number of WebISO solutions over the last
> several months.  The one thing that struck me is how Kerberos like a
> number of the solutions appear to be.  That is, they use a trusted 3rd
> party with a shared secret and then have a persistent token that allows
> logins without having to re-authenticate for some amount of time.

> It occurred to me that if you think of the web client as the credentials
> cache Kerberos could easily be used as a WebISO solution.  The web
> client connects to the web app.  If you don't already have a service
> ticket you get redirected to a login server that will prompt you for
> your Kerberos password and get a TGT for you if you do not already have
> one.  So in a sense the web client plus the login server combined looks
> like the traditional Kerberos client.  The login server contacts the KDC
> and gets a TGT and creates a service ticket for the web app.  It ships
> these back to the web client as cookies.  The web client now has
> credentials to give to the web app.  If the client connects to another
> Kerberized web app it is again redirected to the login server but this
> time it can use the stored TGT to obtain a service ticket for the new
> web application.

This is exactly the design of Stanford's WebAuth v3.  :)  See:

    <http://webauthv3.stanford.edu/>

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list