Post-login Authentication Options

When a non-root user logs into a dialup host without Kerberos tickets, several things can happen.

A user whose homedir has the default Athena permissions will get a % sign quick, but nothing works. Dotfiles exist but aren't readable, so tty settings, aliases, path, etc. just won't happen. (I described this in athena-ws transaction [1910]).
A user whose homedir has system:anyuser none will get a temporary home directory.
A user whose homedir has system:anyuser rl will get a potentially confusing state. No commands that require Kerberos authentication will work. Zwgc won't start. Most likely, all the attach commands in .environment will fail.

Therefore, let me emphasize that the options outlined below will do no good at all unless a user's .cshrc file is made world-readable. User education is key to all of our available technical options.

Dotfile change

I proposed in athena-ws transaction [1910] that environment setup in the global cshrc file be modified to run kinit if no tickets are present.

Advantages

It's easy to implement.
The user gets tickets before running any commands that require authentication. Login proceeds normally.

Disadvantages

It may encourage users to type passwords hastily in a non-encrypted session.

Tell them to type ``renew''

In athena-ws transaction [1914], Chad Brown wrote,

All in all, I think I'd feel more comfortable with a global .cshrc change that merely suggested that the user run renew, rather than running kinit directly. Just my opinion.

Presumably the message would suggest that the user make sure that encryption is turned on (at least for input) and then type renew or some other alias. How to check if your session is encrypted will vary from client to client, e.g. on Unix it's ``^]encrypt status''. This variance makes it difficult for any message to give exact instructions to everyone.

Advantages

It's easy to implement.
Gives the user more time to think about encryption before being faced with a Password: prompt.

Disadvantages

The user gets lots of error messages.
It's hard to redo everything that failed on startup.

Environment variable

Ted Ts'o said in athena-ws transaction [1915],

I'd suggest changing telnetd (and rlogind) to set an environment variable if the connection is encrypted, and change the patch to cshrc so that it only attempts the kinit if the environment indicating an encrypted connection is set.

Advantages

Combines the advantages of the first two options

Disadvantages

Yet another environment variable
``A standardized environment variable that means that you're working with an encrypted connection'' is tricky.
- Encryption can be turned on/off by the client at any time
- There are separate options for encrypted input and output.

Please address comments to <athena-ws@mit.edu>.

Bruce R. Lewis <brlewis@mit.edu>