[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TGT forwarding when cross-realm auth?
Hi Douglas,
Thanx a lot again for your help. As it looks like I have to apply the
modification to the client code, which you have mentioned. It will help
me however a lot, if you will give a hint of where I'll have to start to
dig ...
Thanx a lot in advance and best regards, vadim tarassov.
On Mon, 2005-06-06 at 10:30 -0500, Douglas E. Engert wrote:
> Thats not the way it works, as others have pointed out. Currently delegation
> is an an all or nothing thing. The user's full TGT is delegated with no
> restrictions.
>
>
> This is one of the areas where Kerberos needs improvement as it becomes
> more and more popular, some way to limit the damage of a stolen
> delegate ticket is needed, as I pointed out in a presentation in the
> last ietf-krb-wg that I co-chaired.
>
>
> vadim wrote:
>
> > Hallo everybody,
> >
> > First time in my life I managed to establish trust between two realms,
> > realm A and realm B. Trust is one-way, where B trusts A.
> >
> > Now when I do ssh from unix box from realm A to unix box in realm B, my
> > TGT from realm A gets forwarded to box in realm B. My principal remains
> > me@A.
> >
> > This is however not the functionality I am looking for. Instead of
> > forwarding krbtgt/A@A, I would like to get krbtgt/B@B in my credential
> > cache on unix box in realm B once ssh'ed in it from unix box in realm A.
> > And I would my principal to become me@B instead of me@A.
> >
>
> You don't have to go as far as to get krbtgt/B@B, but could forward a
> krbtgt/B@A while still keeping the user as me@A.
>
> If you are willing you could make some modifications to the
> client side that would forward the krbtgt/B@A ticket rather then what
> it does now forwarding a krbtgt/A@A. The krbtgt/B@A is good only for
> services in realm B and any other realms that trust A via B.
>
> Even if you had trust setup both ways it would not be allow a
> a krbtgt/A@B to be issued using the krtgt/B@A this as it would violate
> the cross-realm trust assumptions because the user is still me@A.
> Realm A expects the user@A to use the krbtgt/A@A for services in in A.
>
>
>
>
> > Reason one I am looking for such functionality is
> >
> > 1) we (realm A) do not trust realm B and do not want credentials from
> > realm A to be saved on that filesystem.
> >
> > 2) we however still want users to login from A to B without entering
> > passwords.
> >
> > Could you please tell me how I could get such functionality?
> >
> > thanx a lot and best regards, vadim tarassov.
> >
>
--
vadim <vadim.tarassov@swissonline.ch>