[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization

To: Brian May <bmay@csse.monash.edu.au>
Subject: Re: Authorization
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Date: Thu, 25 Nov 1999 07:41:51 -0500
cc: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>, heimdal-discuss@sics.se
In-reply-to: Your message of "25 Nov 1999 14:34:07 +1100." <t4iyabnz1lc.fsf@silas-1.cc.monash.edu.au>
Sender: owner-heimdal-discuss@sics.se

In message <t4iyabnz1lc.fsf@silas-1.cc.monash.edu.au>, Brian May writes:
+-----
| >>>>> "Brandon" == Brandon S Allbery KF8NH <allbery@kf8nh.apk.net> writes:
| 
|     Brandon> Authentication: "this user is who s/he claims to be"
|     Brandon> Authorization: "this user is permitted to do these
|     Brandon> things"
| 
|     Brandon> Kerberos only provides the former (well, barring the
|     Brandon> w2kproblem "extensions").  You want to have the latter as
| 
| What about the authorization in Kerberos applications, eg telnetd
| says "if this user has been authenticated as 'bam@...', then
| he can login with the Unix Id = bam". Not to mention .k5login
| (IIRC) files...
+--->8

The point is that they're effectively outside of "core" Kerberos, which is 
all routers support.  Routers don't generally use .k{,5}login or other 
access control mechanisms related to Kerberos (such as the ACLs for kadmin); 
they use RADIUS, TACACS, etc. even if you authenticate via Kerberos.

-- 
brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.

References:
- Re: Authorization
  - From: Brian May <bmay@csse.monash.edu.au>

Prev by Date: Re: Authorization
Next by Date: cisco enctypes trouble
Prev by thread: Re: Authorization
Next by thread: Re: Authorization
Index(es):
- Date
- Thread