khera@thneed.cs.duke.edu (Vick Khera) (09/19/90)
Kerberos Security for The X Window System Vivek Khera Duke University Computer Science Dept. Durham, NC 27706 e-mail: khera@cs.duke.edu Support for Kerberos (version 4) authenticated and authorized server connections has been merged into the MIT X11R4 sample server. The support is implemented in the form of a server extension to maintain an access control list, and some necessary modifications to the server and library. Additional support for starting the server must be provided, and the current implementation uses xdm (with the needed modifications.) The environment assumed is different from the Project Athena environment in that it is assumed that Kerberos is running on each workstation. Kerberos V5 is supposed to contain user-to-user authentication which would remove the need for this assumption. The extension provides a mechanism for dynamically modifying the list of users authorized to connect to the server. Only users listed may connect to the server after providing the proper credentials which are authenticated by Kerberos. The client must be linked with the new version of the library routine XOpenDisplay() which passes the needed information for Kerberos to make the determination of the authenticity of the user. If Kerberos approves, then the access control list is consulted and the connection is either allowed or disallowed. If Kerberos disapproves, then the connection is not allowed. The mechanics of the authorization scheme work similarly to XDM-AUTHORIZATION-1. The files and patches needed to implement the extension and the Kerberos support are available for anonymous ftp in a file called pub/x11r4-kerberos.tar.Z on the host cs.duke.edu (128.109.140.1). A paper describing the system is also available by contacting the author at the e-mail address above. The server was implemented and tested on a VAXStation 2000 running 4.3 BSD Unix. The clients have also been tested on a Convex C2. This work was done while the author was at the Microelectronics Center of North Carolina in Research Triangle Park, NC. The author is currently associated with Intelligent Data Sciences, Inc., of Rockville, MD. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vick Khera Gradual Student Department of Computer Science ARPA: khera@cs.duke.edu Duke University UUCP: ...!mcnc!duke!khera Durham, NC 27706 (919) 660-6528