Re: rsh equivalent


William Sommerfeld (wesommer@athena.mit.edu)
28 Feb 88 20:10:31 GMT


In article <23511@hi.unm.edu> cyrus@hi.unm.edu (Tait Cyrus) writes:
>I have heard of other Universities defining their own protocols to
>accomplish distributed processing without the big security holes.
>I would appreciate ANY information any of you might have concerning
>such protocols/utilities and their possible availability.

We should have something for you in about a month.. the Kerberos[1]
authentication system developed here at Athena should be released in
"about a month". It's written in C, and is known to work on the VAX
and RT/PC (both running 4.3BSD UNIX), the Sun (release 3[?]), and
partially (subject to memory restrictions and the lack of an operating
system) on the IBM PC. We use DES as the encryption algorithm; we
will [probably] ship a reasonably fast software DES to US sites, while
international sites may have to find their own DES implementation[2].

Note that kerberos is not a panacea (is anything?); you still have to
be careful about how you choose your password and where you type it;
kerberos allows you to avoid sending your password over the network in
the clear, but it can't prevent you from doing that if you so choose.
If you make your files globally writable, Kerberos can't save you.

We have kerberos-authenticated versions of rlogin, rsh, rcp, and NFS;
we haven't done kerberos authenticated telnet or ftp [yet?], mostly
because we don't use either protocol very much internally.

                                Bill Sommerfeld
                                MIT Project Athena

[1] Kerberos is the Greek name for what the Romans called Cerberus,
the three headed dog guarding the entrance to Hell.

[2] Flames about DES exportability to /dev/null please; we'd prefer to
believe John Gilmore's analysis of the laws, but we'd rather not find
out the hard way that he was wrong.



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:41:30 GMT