Antwort: Re: cros-realms auth and LDAP [Virus checked]

Sam Hartman hartmans at MIT.EDU
Fri Apr 9 10:51:08 EDT 2004 

>>>>> "denis" == denis havlik <denis.havlik at t-mobile.at> writes:

    denis> If Mr. X at B sits in company B, than he'll already hace a TGT
    denis> from B's KDC, and he'll be trusted to really be Mr. X at B in
    denis> company A, but what happens if he tries to get a TGT while
    denis> "roaming" in company A? Is he supposed to directly contact
    denis> company B KDC, or will the company A KDC do this for him?

He'll need to contact the company B KDC himself.

There are a variety of proposals for getting these credentials while
talking to network authentication infrastructure--for example, getting
credentials as part of DHCP.  This is desirable because you might wish
to require authentication before authorizing network access.  But
these proposals are not as mature as one might like.

    denis> Am I right to assume that all the KDCs have to be visible
    denis> from all the places in order for cross-realm auth. to work
    denis> correctly? That is, KDCs must have a public IP address, and
    denis> firewalls must allow access to udp 88 & udp>1024 to fetch a
    denis> TGT?

Yes.  The KDC software needs to be audited very carefully to make sure
it is safe with this level of access.  I believe all the KDC vendors I
know of understand this and consider KDC security very important.


    >> But most instances of pam_krb5 assume they can convert a login
    >> name to a Kerberos principal simply by appending a default
    >> realm.  This is not inherent; you simply need to decide what
    >> behavior you want and write code to accomplish it.

    denis> OK, so it boils down to "rewrite pam_krb5 to try all realms
    denis> defined in /etc/ krb5.conf? Any idea how much work that
    denis> would be?



That would certainly work.  There are also approaches that allow
people to type in username at REALM at login and strip the realm.

I think doing a quick hack to try a number of realms would probably
take a day or so once you understand pam_krb5.  Fortunately, most of
the pam_krb5 implementations are relatively simple.

More information about the Kerberos mailing list