On Tue, 1 Jan 2002, Mug-O-Milk wrote: > Hello All (and Happy New Year). > > <Background information> ... disregard as necessary! > > As part of my final year studies at University, I'm comparing authentication > systems, such as Kerberos, NIS, Liberty Alliance, MS Passport etc. in terms > of their suitability for single-signon within a corporate environment > spanning different domains. >
- I'm feeling generous today so I'll answer your questions. > > </Background Information> > > (1) The Ticket Granting Service and the Key Distribution Service: > ============================================ > In diagrammatic examples that I have found, these are shown as two separate > entities. In practice, is this normally the same server running these > services, or are they really two different machines? If they are two > seperate machines, by what means do they communicate with each other? - In theory, they could be two different machines, but in practice there are always a process on a single machine. There is no communication needed between the KDS and TGS. In general kerberos "servers" don't need to talk to the KDC. > > > (2) Authentication > ============================================ > Am I correct in reading that the client host is authenticated rather than > simply a user? - No. The only thing ever authenticated is a principal, the mapping from principals to other kinds of things is up to the underlying OS. > One overview of the method I have read at .... > http://web.mit.edu/kerberos/www/#what_is states that the "client" is > authenticated - which, in most terminology means the host machine, rather > than the "end user". Which is correct in terms of ???? - All these definitions are muddled. The most useful way to think about it that I've found is to think in terms of unix processes. Kerberos is a way for a process on one machine to authenticate to another process over the network. What it does is prove that the process has access to the credentials of a given principal. - The mapping from principals to any other kind of id form is up to the underlying OS and kerberos libraries. > > If this is the case, RE: the local key that is kept by the client machine, > can this be transferred to any machine that the user uses, or is this key > registered to the machine that is being used? > - If you ask for the right kind of credentials you can move them from machine to machine. It's called a forwardable ticket. - Booker C. Bense
