Davor Ocelic <[EMAIL PROTECTED]> writes:
>> 2. Do we really need separate identities for separate machines? My
>> understanding was that the whole service/[EMAIL PROTECTED] convention
>> was for preventing man-in-the-middle attacks for things like
>> kerberized telnet. If we're only using kerberos in order to
>> support AFS, I don't know if it's really necessary.
>
> We use kerberos for everything? Both for things that are running now,
> and things that we can add in the future.
Just to further explain this...
As I understand it, the origin of the whole service/[EMAIL PROTECTED] thing
was this: suppose you're MIT, and you have a few thousand host
machines running kerberized telnetd. Lots of those machines belong to
people who you trust to run that particular machine only.
Kerberos prevents MITM attacks by having the *client* authenticate the
*server* as telnet/<host-you-thought-you-were-connecting-to>@REALM.
If the server can't provide tickets proving that it is
telnet/[EMAIL PROTECTED], the client suspects a MITM and aborts. If
there were only one principal ([EMAIL PROTECTED]), then shifty grad
students with their own desktop machines could use that machine's
telnet keytab to impersonate and MITM connections to other machines.
Hence the need for per-host principals.
There's a similar setup for kerberized http (but IMHO https+X509 won
a pretty decisive victory there).
I guess the crux of my point is that at HCOOP we don't use kerberos
directly for any service that works this way, and we're unlikely to do
so in the future since all non-AFS [*] authentication is done via PAM.
- a
[*] due to a design limitation in AFS, all fileservers/dbservers must
use the same key -- in fact, AFS keys break convention by using
the name afs/<cell>@REALM, not afs/<host>@REALM.
_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
