Okay, I think I have a handle on this...a few responses and then a few
questions:
simo and greg:
> but a TGT would allow this client to access any kerberized service.
>
Yeah, I realized this, and then I realized that for my use case even a full
key instead of a ticket would be okay to send, bec
Oh, and to actually send the key back, I assume I can just pack up the
keyblock and send that encrypted with mk_priv, there's no mk_1cred
equivalent for sending a key it seems?
Thanks,
Chris
On Sat, Nov 25, 2017 at 4:23 PM, Chris Hecker wrote:
>
> Okay, I think I have a handle on this...a few
Another approach is kind of iffy from a security point of view, but I have a
situation where it’s needed. We have code that will generate any credentials
for which it has a keytab, including a TGT. (It’s an MIT person of
kimpersonate.) You can transmit it to the other end using krb5_fwd_tgt_cred
On Fri, 2017-11-17 at 15:49 -0500, Simo Sorce wrote:
> On Fri, 2017-11-17 at 16:20 +, Chris Hecker wrote:
> > (Once more, with feeling...and also hopefully acceptable-to-mailman
> > formatting.)
> >
> > This is all kind of half-baked, so bear with me while I think out-loud:
> >
> > - I am usi
On Fri, 2017-11-17 at 16:20 +, Chris Hecker wrote:
> (Once more, with feeling...and also hopefully acceptable-to-mailman
> formatting.)
>
> This is all kind of half-baked, so bear with me while I think out-loud:
>
> - I am using kerberos for my game's authn with clients and a server.
> Client
On 11/17/2017 11:20 AM, Chris Hecker wrote:
> - I don't want to give them the key to their krb account because I don't
> want them to be able to log into any of my other kerberized services, so I
> think I'd like to request a TGT for them on the server and then send it to
> the client. This way the
