On 11/17/2017 11:20 AM, Chris Hecker wrote: > - I don't want to give them the key to their krb account because I don't > want them to be able to log into any of my other kerberized services, so I > think I'd like to request a TGT for them on the server and then send it to > the client. This way they can install it and use it to get u2u tickets, or > tickets to other services.
It seems like a TGT would allow them the same access to other kerberized services as the key would, though only for the lifetime of the TGT. > - Can I just do this, and send the TGT to the client and have them install > it with krb5_cc_store_cred? I do a similar thing with krb5_cc_retrieve_cred > to get the tgt for u2u? Does there have to be an AS request to establish a > session key, or does there need to be a key installed on the client to use > the TGT correctly? The client needs the session key of the ticket in order to use it. You can transmit that as well, but will need to do so over an encrypted channel. krb5_mk_1cred() will package up a credential (ticket and session key) and encrypt it using an auth context. > - If this isn't going to work, what are my options here? One potential building block is S4U2Self (aka "Protocol Transition"), where a service can request a ticket from an arbitrary user to itself after authenticating the user with a different auth protocol. But I don't think you could easily bootstrap from there to U2U communication between the clients. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
