Post-login Authentication Options
When a non-root user logs into a dialup host without Kerberos tickets,
several things can happen.
- A user whose homedir has the default Athena permissions will get a
% sign quick, but nothing works. Dotfiles exist but aren't readable, so
tty settings, aliases, path, etc. just won't happen. (I described this
in
athena-ws transaction
[1910]).
- A user whose homedir has system:anyuser none will get a temporary
home directory.
- A user whose homedir has system:anyuser rl will get a potentially
confusing state. No commands that require Kerberos authentication will
work. Zwgc won't start. Most likely, all the attach commands in
.environment will fail.
Therefore, let me emphasize that the options outlined below will do no
good at all unless a user's .cshrc file is made world-readable.
User education is key to all of our available technical
options.
Dotfile change
I proposed in
athena-ws transaction
[1910]
that environment setup in the global cshrc file be modified to run kinit
if no tickets are present.
Advantages
- It's easy to implement.
- The user gets tickets before running any commands that require
authentication. Login proceeds normally.
Disadvantages
- It may encourage users to type passwords hastily in a non-encrypted
session.
Tell them to type ``renew''
In
athena-ws transaction
[1914],
Chad Brown wrote,
All in all, I think I'd feel more comfortable with a global .cshrc
change that merely suggested that the user run renew, rather than
running kinit directly. Just my opinion.
Presumably the message would suggest that the user make sure that
encryption is turned on (at least for input) and then type renew or some
other alias. How to check if your session is encrypted will vary from
client to client, e.g. on Unix it's ``^]encrypt status''. This variance
makes it difficult for any message to give exact instructions to
everyone.
Advantages
- It's easy to implement.
- Gives the user more time to think about encryption before being
faced with a Password: prompt.
Disadvantages
- The user gets lots of error messages.
- It's hard to redo everything that failed on startup.
Environment variable
Ted Ts'o said in
athena-ws transaction
[1915],
I'd suggest changing telnetd (and rlogind) to set an environment
variable if the connection is encrypted, and change the patch to cshrc
so that it only attempts the kinit if the environment indicating an
encrypted connection is set.
Advantages
- Combines the advantages of the first two options
Disadvantages
- Yet another environment variable
- ``A standardized environment variable that means that you're
working with an encrypted connection'' is tricky.
- Encryption can be turned on/off by the client at any time
- There are separate options for encrypted input and output.
Please address comments to
<athena-ws@mit.edu>.
Bruce R. Lewis
<brlewis@mit.edu>