Antwort: Re: cros-realms auth and LDAP [Virus checked]
denis.havlik@t-mobile.at
denis.havlik at t-mobile.at
Fri Apr 9 06:19:13 EDT 2004
>If I share a key between company A and company B, then I'm trusting
>that company B's KDC will accurately represent the identities of
>company B users. Or put another way, the company B KDC must be
>trusted at least as much as any user claiming to be from company B.
>That is a weak trust requirement.
OK, so I must trust the company B's KDC when it says "mr X at B really is who
he claims to be". So far so good. The part that I'm missing is "how do I
contact companies B KDC in the first place?"
If Mr. X at B sits in company B, than he'll already hace a TGT from B's KDC,
and he'll be trusted to really be Mr. X at B in company A, but what happens
if he tries to get a TGT while "roaming" in company A? Is he supposed to
directly contact company B KDC, or will the company A KDC do this for him?
Am I right to assume that all the KDCs have to be visible from all the
places in order for cross-realm auth. to work correctly? That is, KDCs
must have a public IP address, and firewalls must allow access to udp 88 &
udp>1024 to fetch a TGT?
>But most instances of pam_krb5 assume they can convert a login name to
>a Kerberos principal simply by appending a default realm. This is not
>inherent; you simply need to decide what behavior you want and write
>code to accomplish it.
OK, so it boils down to "rewrite pam_krb5 to try all realms defined in
/etc/krb5.conf? Any idea how much work that would be?
regards
Denis
More information about the Kerberos
mailing list