Kerb/PKI Infrastructure - Who's on first?

STEWARD, Curtis (Jamestown) Curtis.Steward at trw.com
Wed Oct 9 10:35:58 EDT 2002


Thanks for your thoughts, here's a little more based on
them and my understanding.

Other than the native OS login, Kerberos is the only other
authentication means that I know of to provide access
at OS login.  If I'm correct then I'm answering my
own question and everything could be TGT centric.
I've been a Kerberos advocate for awhile
but I don't see a comprehensive solution coming
together on technical merit alone.  I can have independent
authentication in each :( or pick one as more centric
over the other.  I'm no expert and have found very 
little on this theme, but let me attempt a draft of a 
simplified matrix that can illustrate where I'm coming 
from and from what I hear you saying:

                                            PKI
KERBEROS
REQUIREMENT  IETF            CENTRIC                 CENTRIC

Authentication     krb-wg?       Kerberos-PKINIT     Kerberos-"k5cert" 
                                             (Heimdal)                (MIT)
Certificate           pkix             RSA                       SSL CA-via
?      
                                             (OpenCA)               (OpenCA)
Encryption          smime         GnuPG->S/MIME    GnuPG->S/MIME-via ?
                                             (Mozilla)
(Mozilla)
Hashing              pkix             SHA1SUM              SHA1SUM -N/A
                                             (GNU)                    (GNU)
IP                       ipsec           IPSEC                   IPSEC-via ?
                                             (FreeSWAN)          (FreeSWAN)
Shell                   secsh          RSA                       gss-keyex

                                             (OpenSSH)             (OpenSSH)
Transport            tls                RSA                       gss-keyex

                                             (OpenTLS)             (OpenTLS)

I'm guessing at some of the above, how would you do it? 
It appears authentication is key to the whole model.
The technology deployed not necessarily the product in
parenthesis is what I'm concerned with which I've 
obviously gravitated toward Open Source solutions.

Open Source tools I've found to work great for proof
of concept particularly with the above requirements
from the user and technical gray.  Globus has a FAQ
that also illustrates what I'm looking for and I might
pursue their GSI module:

"PKINIT, which can generate a Kerberos TGT from a certificate, is being
worked on in the IETF and the final solution will be implemented in the
reference version of MIT Kerberos. This is expected to take about 1 year.
W2000 has implemented an early version of this work. Pending availability of
the final standard, Globus have implemented extensions to an MIT Kerberos
KDC, called SSLCD-SSLK5. This allows a client to connect to gatekeeper with
a delegated proxy certificate and then use globus services on that systems
which are configured using Kerberos v5. This can avoid the need for separate
Globus processes when Kerberos processes are already available.

The reverse capability of generating a Globus Proxy Certificate from a
Kerberos v5 TGT is provided by the Globus K5cert software. The source code
needs to be linked with the MIT Kerberos libraries, but does not require
extensions to the KDC. This functionality can provide SSO for both a
Kerberos v5 and Globus environment, provided the CA of the proxy certificate
is trusted by other Globus sites."

Thoughts, experiences?

cs


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/kerberos/attachments/20021009/5f63104c/attachment.htm


More information about the Kerberos mailing list