Storing TGT in cache
Jeffrey Altman
jaltman2 at nyc.rr.com
Tue Apr 20 12:16:01 EDT 2004
Matt wrote:
> Hmmm.... this is quite an interesting thought for me. It would be very
> useful for an applet to function as a "kinit" to a number of realms,
> which would then store a TGT within my Win2k/Apple/Linux local cache,
> such that my local applications and utilities can connect to Kerberized
> resources (file shares, spnego-web, etc) Of course, the need for
> multiple OS's means this would need to be a standard part of the JVM (or
> separate OS aware Java packages).
>
> Does such a beast exist?
>
> -Matt
There are two fundamental problems with using the Java Kerberos
implementation as the kinit application. First, the Java Kerberos
implementation only supports the single DES enctyps. This is
not desireable given that every other distribution of Kerberos by
now supports DES3 and RC4 and some even support AES.
The second problem is that the Java Kerberos implementation only
knows how to support file based credential caches files. On Windows
and MacOS X, file ccaches are not used. Instead, the CCAPI interface
is used for access to the MIT ccache which is stored in memory.
In addition, on Windows the Microsoft ccache is stored as part of the
Logon Session services.
I have suggested in the past to Sun's Java Security team that they
re-implement the Java Kerberos to use JNI to support whatever Kerberos
implementation is provided by the base operating system. They should
only use their own implementation when an operating system specific
Kerberos is not available for use. This would allow for true single
sign-on and transparency for all of the major operating systems while
still providing a light-weight Kerberos implementation for smaller
devices running Java which do not have OS support for Kerberos.
If you support this idea, please file a request with Sun.
Jeffrey Altman
More information about the Kerberos
mailing list