Bruce modestly neglected to mention that he worked on the implementation
The tech report is available at:
gopher://citi.umich.edu/00/techreports/PS.Z/citi-tr-92-1.ps.Z
Everyone forgot to mention to most recent criticism of the
technique, which requires the the translator forward the
tgt to the end machine in some encrypted form...
The form choosen was to use the *client principal* as
a service endpoint, which exposes that principal to
dictionary attacks. This isn't a big deal on k4, which
has that exposure at TGT requests, but in k5 you won't
be able to get the end principal to act as a service...
Sigh.
A more recent paper for third party NFS authentication is available
which describes an service (krb princial) on the NFS server "NFS/DFS
Translator mapping registration" by Tom Minstretta, and Bob Sommerfeld
which provides registration service. Oddly enough this technique would
have been hard to implement for AFP service, due to the nature of the
AFP authentication ritual, but looks like it does the job for AFS...
Unfortunatly it requires NEW binares at each of the client
authenticator, which is always APITA.
But since PCI has new binaries ANYWAY, having a registration
service on the translator would be a better approach.
mts.
