Proxy KDC

Derek Atkins derek at ihtfp.com
Wed Oct 23 21:41:50 EDT 2002 

Monica Lau <mllau2002 at yahoo.com> writes:

> Hi all,
> First of all, thanks for your response.  However, I'm still not
> understanding what the non-trivial design issues are with supporting
> proxy KDC and why one would not want to use this feature were it
> implemented?  I would think that this feature would be popular, but
> I don't know Kerberos well enough to understand the problems with
> it.  Thanks for your time and help.  Monica

Hi,

I'm not sure exactly what you want to happen (or why you consider
breaking a realm into multiple pieces to be a "feature").  All I
can imagine is what you want is the ability to "share" a domain
across multiple administrative domains.  If that is what you want,
then really each administrative domain should run its own realm,
or some "super agency" should run one common domain for all of them.

If a client knows its principal name (e.g. warlord at MIT.EDU) then
it can send the AS_REQ directly to the MIT.EDU kerberos server.
If the client only knows part of its principal name (e.g. warlord)
then all you can do is provide a "best guess" as to the full name.

In the latter case, it may be possible to have a referal to the
appropriate domain if there is some back end means.  Unfortunately
these kinds of referals are completely insecure and lead to other
potential security problems.

So really the question is: what real-world problem are you trying
to solve?

-derek

>  Sam Hartman <hartmans at mit.edu> wrote:>>>>> "Monica" == Monica Lau writes:
> 
> Monica> Hi all,
> 
> Monica> I was wondering if the MIT Kerberos server supports
> Monica> proxy KDC. For example, I have two KDCs in my network,
> Monica> KDC A and KDC B. If a user tries to authenticate to KDC
> Monica> A, and KDC A can't find that user's entry in its database,
> Monica> KDC A will automatically contact KDC B and send the
> Monica> authentication reply back to the user.
> 
> This feature is not supported.
> I think there are non-trivial design issues associated with doing this.
> I suspect we would not be interested in the feature were it implemented.
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 
> ---------------------------------
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek at ihtfp.com             www.ihtfp.com

More information about the Kerberos mailing list