daemon@ATHENA.MIT.EDU (Hugh C. Lauer) Wed Jan 24 17:51:43 1990 From: lauer@BTC.KODAK.COM (Hugh C. Lauer) To: kerberos@ATHENA.MIT.EDU Cc: lauer@BTC.KODAK.COM I may have had too high an expectation for Kerberos, or perhaps I am overlooking something obvious. I had hoped that it would help me solve an adminstration problem of a large number of users over a wide area network, but upon experimentation it seems that it does not. What I want to do:- I have a half-dozen or so sites spread across the country, each with a local system administrator (whom I am prepared to trust). I want each site to be able to register its own users, but I want all of the users to be able to login into hosts at the other sites, either physically when they are travelling or remotely via the network. When they do, I want them to at least be recognized as themselves; in a more advanced world, it would be nice to also let them have their own home directories, etc. So I started experimenting with Kerberos; for the time being, I avoided replicated databases and multiple realms. For basics, I tried creating a number of fictitious users in a single Kerberos database, then set up and registered some services with the same database. Then I authenticated myself as one of these fictitious users and tried to do what a real remote user would have done -- rlogin to one of the registered servers. The authentication seemed to proceed to completion, but the server returned an error message of the following form:- pyramus% rlogin tundra login: lauer has not given you permission to login without a password. Password: The only password that it seemed accept is MY personal password. Of course, the fictitious user is not registered in /etc/passwd on the remote machine, so what user id would he have become if he did successfully log in? do all such users become me? Am I overlooking something very simple and dumb, or am I expecting too much of Kerberos? Do I have to register all of the users of all of my sites in a giant /etc/passwd file and propagate it everywhere? or what? Thanks, /Hugh Lauer Kodak Boston Technology Center
daemon@ATHENA.MIT.EDU (Jon A. Rochlis) Wed Jan 24 20:16:34 1990 From: jon@MIT.EDU (Jon A. Rochlis) To: lauer@BTC.KODAK.COM (Hugh C. Lauer) Cc: kerberos@ATHENA.MIT.EDU In-Reply-To: Your message of Wed, 24 Jan 90 17:33:26 -0500. Am I overlooking something very simple and dumb, or am I expecting too much of Kerberos? I think you are expecting too much. Remember Kerberos is just providing authentication service (it tells a service who you are), nothing more. What you are asking for is authorization (should the service allow you to access its resources, i.e. login in the case of an remote login service). Do I have to register all of the users of all of my sites in a giant /etc/passwd file and propagate it everywhere? or what? Basically you must have some authorization policy which your remote login server implements. The most obvious is the default: if kerberos user "a.b@r" tries to login as unix user xxx look up xxx in /etc/passwd if xxx doesn't exist deny the login (possibly failing back to asking for an account/password, which has *nothing* to do with kerberos) if xxx does exist then look in ~xxx/.klogin for a line authorizing a.b@r to login as xxx. if found allow the login. if ~xxx/.klogin doesn't exist allow the login only if the kerberos name is xxx.null@local-realm (I should mention that if you're logged into a unix machine as "lauer", kinit as "testuser", and type "rlogin somehost", you will be attempting to login to "somehost" as the unix user "lauer" with Kerberos credentials of "testuser.null@local-realm". If you wanted to login say, as root, you would need to do "rlogin somehost -l root", and if testuser was in ~/.klogin on somehost you would win.) The issue here as you note, is how you get /etc/passwd on the thousands of machines you might find. You have a couple of realistic options: maintain accounts in a central database and download to each server periodically maintain accounts in a central database and have the servers query nameservers to get the data (ala Yellow Pages and Hesiod) (note there are security issues with how this information is delivered to the servers) Athena has several systems which help out with authorization. Including Moira (the service managment system) and Hesiod (the nameserver). There are several papers about this available for anonymous ftp from athena-dist.mit.edu, including a paper outlining all the various services which make up the Athena distributed environment. Kerberos is just one of the services. Expecting Kerberos to provide all the services required to run such an environment is asking a bit much. -- Jon
daemon@ATHENA.MIT.EDU (Jerome H Saltzer) Thu Jan 25 15:37:07 1990 To: lauer@BTC.KODAK.COM (Hugh C. Lauer), jon@MIT.EDU (Jon A. Rochlis) Cc: kerberos@ATHENA.MIT.EDU From: Jerome H Saltzer < Saltzer@MIT.EDU> In-Reply-To: Message of Wed, 24 Jan 90 19:35:38 EST Jon is correct that the question here is one of authorization policy, which lies outside Kerberos. However, it may not be so hard to create a policy that does what Hugh needs. The key is his assertion that he is prepared to trust the various administrators of his several systems. Suppose he were to modify the remote login server policy to be something like the following: if kerberos user "xxx@r" tries to login as unix user xxx look up xxx in /etc/passwd if xxx doesn't exist then if "r" is the realm that this system trusts ("local-realm") create user xxx, with password "*" if not, deny the login if xxx does exist then look in ~xxx/.klogin for a line authorizing xxx@r to login as xxx. if found allow the login. if ~xxx/.klogin doesn't exist allow the login only if the kerberos name is xxx.null@local-realm That is essentially the same policy we use on Athena workstations (with regular login, rather than rlogin) and it seems to have approximately the properties that Hugh requires. Making the same change in policy to local login would permit a Kerberos-registered user to walk up to a system at a different site and login. Jerry