[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TGT forwarding when cross-realm auth?

Thats not the way it works, as others have pointed out. Currently delegation
is an an all or nothing thing. The user's full TGT is delegated with no

This is one of the areas where Kerberos needs improvement as it becomes
more and more popular, some way to limit the damage of a stolen
delegate ticket is needed, as I pointed out in a presentation in the
last ietf-krb-wg that I co-chaired.

vadim wrote:

> Hallo everybody,
> First time in my life I managed to establish trust between two realms,
> realm A and realm B. Trust is one-way, where B trusts A. 
> Now when I do ssh from unix box from realm A to unix box in realm B, my
> TGT from realm A gets forwarded to box in realm B. My principal remains
> me@A.
> This is however not the functionality I am looking for. Instead of
> forwarding krbtgt/A@A, I would like to get krbtgt/B@B in my credential
> cache on unix box in realm B once ssh'ed in it from unix box in realm A.
> And I would my principal to become me@B instead of me@A.

You don't have to go as far as to get krbtgt/B@B, but could forward a
krbtgt/B@A while still keeping the user as me@A.

If you are willing you could make some modifications to the
client side that would forward the krbtgt/B@A ticket rather then what
it does now forwarding a krbtgt/A@A.  The krbtgt/B@A is good only for
services in realm B and any other realms that trust A via B.

Even if you had trust setup both ways it would not be allow a
a krbtgt/A@B to be issued using the krtgt/B@A this as it would violate
the cross-realm trust assumptions because the user is still me@A.
Realm A expects the user@A to use the krbtgt/A@A for services in in A.

> Reason one I am looking for such functionality is 
> 1) we (realm A) do not trust realm B and do not want credentials from
> realm A to be saved on that filesystem.
> 2) we however still want users to login from A to B without entering
> passwords.
> Could you please tell me how I could get such functionality?
> thanx a lot and best regards, vadim tarassov.


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444