[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TGT forwarding when cross-realm auth?

To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: TGT forwarding when cross-realm auth?
From: vadim <vadim.tarassov@swissonline.ch>
Date: Tue, 07 Jun 2005 22:41:21 +0200
Cc: Heimdal list <heimdal-discuss@sics.se>, Kerberos WG <ietf-krb-wg@anl.gov>
In-Reply-To: <42A46C2F.5070304@anl.gov>
References: <1117870287.13377.17.camel@localhost.localdomain> <42A46C2F.5070304@anl.gov>
Sender: owner-heimdal-discuss@sics.se

Hi Douglas,

Thanx a lot again for your help. As it looks like I have to apply the
modification to the client code, which you have mentioned. It will help
me however a lot, if you will give a hint of where I'll have to start to
dig ...

Thanx a lot in advance and best regards, vadim tarassov.

On Mon, 2005-06-06 at 10:30 -0500, Douglas E. Engert wrote:
> Thats not the way it works, as others have pointed out. Currently delegation
> is an an all or nothing thing. The user's full TGT is delegated with no
> restrictions.
> 
> 
> This is one of the areas where Kerberos needs improvement as it becomes
> more and more popular, some way to limit the damage of a stolen
> delegate ticket is needed, as I pointed out in a presentation in the
> last ietf-krb-wg that I co-chaired.
> 
> 
> vadim wrote:
> 
> > Hallo everybody,
> > 
> > First time in my life I managed to establish trust between two realms,
> > realm A and realm B. Trust is one-way, where B trusts A. 
> > 
> > Now when I do ssh from unix box from realm A to unix box in realm B, my
> > TGT from realm A gets forwarded to box in realm B. My principal remains
> > me@A.
> > 
> > This is however not the functionality I am looking for. Instead of
> > forwarding krbtgt/A@A, I would like to get krbtgt/B@B in my credential
> > cache on unix box in realm B once ssh'ed in it from unix box in realm A.
> > And I would my principal to become me@B instead of me@A.
> >
> 
> You don't have to go as far as to get krbtgt/B@B, but could forward a
> krbtgt/B@A while still keeping the user as me@A.
> 
> If you are willing you could make some modifications to the
> client side that would forward the krbtgt/B@A ticket rather then what
> it does now forwarding a krbtgt/A@A.  The krbtgt/B@A is good only for
> services in realm B and any other realms that trust A via B.
> 
> Even if you had trust setup both ways it would not be allow a
> a krbtgt/A@B to be issued using the krtgt/B@A this as it would violate
> the cross-realm trust assumptions because the user is still me@A.
> Realm A expects the user@A to use the krbtgt/A@A for services in in A.
> 
> 
> 
> 
> > Reason one I am looking for such functionality is 
> > 
> > 1) we (realm A) do not trust realm B and do not want credentials from
> > realm A to be saved on that filesystem.
> > 
> > 2) we however still want users to login from A to B without entering
> > passwords.
> > 
> > Could you please tell me how I could get such functionality?
> > 
> > thanx a lot and best regards, vadim tarassov.
> > 
> 
-- 
vadim <vadim.tarassov@swissonline.ch>

Follow-Ups:
- Re: TGT forwarding when cross-realm auth?
  - From: "Douglas E. Engert" <deengert@anl.gov>

References:
- TGT forwarding when cross-realm auth?
  - From: vadim <vadim.tarassov@swissonline.ch>
- Re: TGT forwarding when cross-realm auth?
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Locking of principales due to unsuccessfull attempts
Next by Date: Re: 0.7rc2 with mod_auth_kerb 5 rc6
Prev by thread: Re: TGT forwarding when cross-realm auth?
Next by thread: Re: TGT forwarding when cross-realm auth?
Index(es):
- Date
- Thread