(Once more, with feeling...and also hopefully acceptable-to-mailman formatting.)
This is all kind of half-baked, so bear with me while I think out-loud: - I am using kerberos for my game's authn with clients and a server. Clients have connections to the server, and then also p2p connections to each other, and I use u2u tickets for those. This all works swimmingly. I <3 kerberos. - I am now integrating a 3rd party authn system (Steam). This system also uses sessions and tickets and whatnot but they're not kerberos tickets, so I'm going to need to translate somehow, and I want this to all be seamless so a Steam user doesn't know they aren't a normal kerberos user (until they try something Steam doesn't support, but that's a different topic). - I think what I want to do is when a Steam user connects to the server for the first time with a Steam ticket, I authenticate it with Steam, and then create a kerberos user for that Steam user. I don't want to require people to pick a username or password or anything, so I want to generate a unique krb username for this user <steamid>/steam or something (and I'll use princ aliases if they want to pick another name later), and then also generate a randkey. This is where it gets interesting... - I don't want to give them the key to their krb account because I don't want them to be able to log into any of my other kerberized services, so I think I'd like to request a TGT for them on the server and then send it to the client. This way they can install it and use it to get u2u tickets, or tickets to other services. - Can I just do this, and send the TGT to the client and have them install it with krb5_cc_store_cred? I do a similar thing with krb5_cc_retrieve_cred to get the tgt for u2u? Does there have to be an AS request to establish a session key, or does there need to be a key installed on the client to use the TGT correctly? - If this isn't going to work, what are my options here? I'd like to keep everything except the initial login working with my current kerberos system, so I'd really like to get a Steam user a temporary kerberos ticket as early as possible so I don't have to handle many special cases. I'd like to avoid sending a full key to the client because they could then use that to log into my other kerberos services unless I implemented some kind of authz stuff that I'd like to avoid for now. Thoughts? Thanks! Chris ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
