Re: Moving contrib and non-free of master.debian.org

To: debian-devel@lists.debian.org
Subject: Re: Moving contrib and non-free of master.debian.org
From: Brian May <bam@snoopy.apana.org.au>
Date: Wed, 30 Jun 1999 09:56:11 +1000
Message-id: <[🔎] 19990630095610.A29839@snoopy.apana.org.au>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: bam@snoopy.apana.org.au
In-reply-to: <[🔎] 19990629190649.B2682@csh.rit.edu>
References: <[🔎] 199906220826.KAA16074@ezili.sis.pasteur.fr>

In article <[🔎] 19990629190649.B2682@csh.rit.edu> you write:
>On Wed, Jun 30, 1999 at 08:31:55AM +1000, Brian May wrote:
>
>> > SSH
>> > 
>> > Difficult to replace at present.
>[...]
>> <flame proof suit>
>> What about kerberos?
>
>SSH works well across administrative boundaries.  Kerberos (to my knowledge)
>requires that both parties trust a common KDC in order to authenticate.
>This would make it an incomplete replacement for SSH.

No. It is not required to trust a common KDC. From what I know, there
are two ways you can talk to sites across administrative boundaries
(ie different realms).

I will use an example to simplify matters. Say I wanted to telnet to
my computer snoopy.apana.org.au, which has a realm of CHOCBIT.ORG.AU,
from Monash Uni, which has a realm (actually it doesn't use Kerberos)
of MONASH.EDU.AU.

1. interrealm authentication. I authenticate myself to the MONASH.EDU.AU
realm and become known, in the Kerberos world as bam@MONASH.EDU.AU. In
my $HOME/.k5login file, I would have to specify that bam@MONASH.EDU.AU
is allowed to log in as me.

Of course snoopy would have to trust the MONASH.EDU.AU KDC that when it
says I am bam@MONASH.EDU.AU, I really am bam@MONASH.EDU.AU (maybe some
system administrator has `lied'). Hence I wouldn't use this method, unless
I was positive of the security of the MONASH.EDU.AU KDC. However, I
don't think ssh is much better, especially if you store private keys...

Note: Even if somebody did break into the MONASH.EDU.AU KDC, no one
could pretend to be bam@CHOCBIT.ORG.AU unless they broke into that KDC,
too.

2. log into each realm that you may use manually. There is no reason
that you have to use anything special to do this. Currently though,
this involves manually keeping track of seperate ticket files for each
realm. With respect to other problem, of finding the realm and server
for a given hostname, there is a proposed solution to add DNS entries to
contain this information.

Of course, logging into multiple realms requires another password for
each realm, but IMHO, this is better then sharing a common private key
for multiple hosts (ssh method). Anyway, how many completely seperate
realms are you likely to access in one session?

-- 
Brian May <bam@snoopy.apana.org.au>

Attachment: pgpC8xmsoqEZc.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Moving contrib and non-free of master.debian.org
  - From: Matt Zimmerman <mdz@csh.rit.edu>

References:
- Re: Moving contrib and non-free of master.debian.org
  - From: Stephane Bortzmeyer <bortzmeyer@debian.org>
- Re: Moving contrib and non-free of master.debian.org
  - From: Matt Zimmerman <mdz@csh.rit.edu>

Prev by Date: Re: ITP: JacORB, a Java Corba ORB
Next by Date: Re: vim 5.4m BETA packages
Previous by thread: Re: Moving contrib and non-free of master.debian.org
Next by thread: Re: Moving contrib and non-free of master.debian.org
Index(es):
- Date
- Thread