home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!newsstand.cit.cornell.edu!lns598.TN.CORNELL.EDU!dsr
- From: dsr@lns598.tn.cornell.edu (Daniel S. Riley)
- Newsgroups: comp.client-server
- Subject: Re: Authentication of Clients in a C/S environment
- Date: 23 Nov 1992 15:18:41 -0500
- Organization: Wilson Lab, Cornell U., Ithaca, NY 14853
- Lines: 32
- Distribution: world
- Message-ID: <1ereb1INN55e@lns596.TN.CORNELL.EDU>
- References: <1992Nov20.032345.18307@kodak.kodak.com> <19921122175106SEB1525@MVS.draper.com>
- NNTP-Posting-Host: lns596.tn.cornell.edu
-
-
- In article <19921122175106SEB1525@MVS.draper.com>,
- SEB1525@MVS.draper.com (Steve Bacher) writes:
- > In article <1992Nov20.032345.18307@kodak.kodak.com>,
- > deal@tempus.Kodak.Com (Stephen M. Deal) writes:
- > >Has anyone given much thought to client authentication on PCs and Macs?
- > >Does anyone have any thoughts on how a server (DB or otherwise) would
- > >handle such a mechanism?
- >
- > You may want to look at RFC 931, "Authentication server", which
- > proposes a protocol for user authentication from remote clients.
-
- Not for PCs and Macs he doesn't. RFC931 only works with reasonably
- trusted hosts; with PC class machines that are trivially subverted,
- RFC931 is useless as an authentication protocol. See the CAVEATS
- sections of RFC931:
-
- CAVEATS
-
- Unfortunately, the trustworthiness of the various host systems that
- might implement an authentication server will vary quite a bit. It
- is up to the various applications that will use the server to
- determine the amount of trust they will place in the returned
- information. It may be appropriate in some cases restrict the use of
- the server to within a locally controlled subnet.
-
- For reliable client authentication on untrustworthy hosts, you really
- need something like Kerberos.
-
- --
- -Dan Riley Internet: dsr@lns598.tn.cornell.edu
- -Wilson Lab, Cornell University HEPNET/SPAN: lns598::dsr (44630::dsr)
-
