[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization

In message <t4iyabnz1lc.fsf@silas-1.cc.monash.edu.au>, Brian May writes:
| >>>>> "Brandon" == Brandon S Allbery KF8NH <allbery@kf8nh.apk.net> writes:
|     Brandon> Authentication: "this user is who s/he claims to be"
|     Brandon> Authorization: "this user is permitted to do these
|     Brandon> things"
|     Brandon> Kerberos only provides the former (well, barring the
|     Brandon> w2kproblem "extensions").  You want to have the latter as
| What about the authorization in Kerberos applications, eg telnetd
| says "if this user has been authenticated as 'bam@...', then
| he can login with the Unix Id = bam". Not to mention .k5login
| (IIRC) files...

The point is that they're effectively outside of "core" Kerberos, which is 
all routers support.  Routers don't generally use .k{,5}login or other 
access control mechanisms related to Kerberos (such as the ACLs for kadmin); 
they use RADIUS, TACACS, etc. even if you authenticate via Kerberos.

brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.