I have not touched DCE is a few years, as we turned it off. It never caught on. DFS was the only real application, but we had and still have AFS. I know DCE picked up k5dcelogin. It which must be exec'ed between the daemon, like rlogind and the user shell, so as to keep the PAG in the same process. It does not work with FTP. The k5dcecon could be run as a sub process, as long as the PAG could be set by the parent. (Sharing of DCE libs, Kerberos libs, threads etc. forced this separation.)
You will note AFS is still around. One reason I think it is is that one can separate the authentication from the authorization. AFS has its own authorization database, the PTS. All you need is a an AFS token, to authenticate to AFS. This authentication can be done by a number of different means: the built in Kerberos V4 AFS code (which is being updated to K5); a Kerberos V5 aklog to krb524d which could be using the DCE secd K5 support; gssklog using Kerberos GSS, or even gssklog using the Globus SSL/X509 certificate based GSI. This works well as the authentication is done a a global level, where as the authorization is done at a lower level. The realms/cells/domains for authentiction and authorization do not have to coincide. Kenneth Stephen wrote: > > On Thu, 16 Jan 2003, Douglas E. Engert wrote: > > > > > > > Kenneth Stephen wrote: > > > > > > Hi, > > > > > > DCE (atleast IBM DCE does) provides an integrated login daemon > > > which if running on a DCE client, allows a dce login to a DCE user even if > > > the user is not a local user. No more duplication of userid databases - > > > one just has to be defined as a user in the DCE registry. Is there an > > > equivalent for Kerberos? > > > > You might be starting to mix authentication with authorization. Kerberos > > only does authenticaiton. Where as DCE is using Kerberos for > > authentication, then making authorization decisions using the DCE registry > > information. So there is no equivalent, as Kerberos does not maintain > > an authorization database. > > > > But there is a way to use a Kerberos ticket to get a DCE context. > > We did this for years, where we would use the MIT Kerberized rlogin, > > telnet, ftp and SSH programs which only do Kerberos and use the > > forwarded ticket to get a DCE context for access to DFS. > > > > The k5dcelogin and k5dcecon programs. The k5dcecon could be used > > from PAM, if your operating system had PAM. > > > > See: > > ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5dce.20010824.tar > > > Doug, > > Thanks for the explanation. I dont know if you know this but the > DCE source code is available for download at the OpenGroup ftp site, and > the security server code does have an implementation of k5dcelogin in it > (havent checked for k5dcecon). Thanks for the pointers. > > Kenneth -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
