| dc.description.abstract | This document proposes solutions for two problems obstructing Project Athena's implementation of workstation services. The principal problem is that workstation services demand a more flexible mutual-authentication protocol than Kerberos currently provides. The egregious X access-control hack, xhost, for example, has lack of authentication as its root cause. The protocol weakness is also the reason that public workstations can't accept authenticated connections from rlogin, rcp, rsh, etc. We propose an extension to the Kerberos Ticket Granting Service protocol, that cleanly supports user-to-user mutual authentication. Our second proposal addresses the problem of ticket propagation. Currently, if a user wants tickets that are valid on a remote host, he has to run kinit an encrypted login session, unless he's willing to send his password in cleartext. As an example of the use of our protocol extension, we describe a Kerberos application that would support a limited facility for secure ticket-propagation. | en_US |
