Different Services, Different Realms, but One Host
ms419@freezone.co.uk
ms419 at freezone.co.uk
Thu Mar 11 15:14:38 EST 2004
Thanks everyone!
I agree, Tim: Being able to store one host's keys in different realms
would be nice - in my simple opinion.
I think you understand my question exactly - your example is just what
I'm trying to do. Unfortunately, I still don't know how to do it.
Truly, the confusing part is how the kerberos client obtains a cross
realm TGT for the correct realm.
Since your example is precisely what I'm trying to do, suppose I'm
connecting to service2 on server1.domain.com - my principle resides in
REALM0, say. How does my kerberos client know whether to request a
cross realm TGT for REALM1, 2, or 3? It seems domain_realm will only
map server1.domain.com - and all of its instances - to one realm ...
I'd be very happy to find a way around this!
Jack
On Mar 9, 2004, at 9:36 AM, Tim Alsop wrote:
> Hi,
>
> Perhaps I missunderstand the question, but it is possible to use
> multiple realms on a specific host. The naming of the service
> principals (keys for which would be stored in a key table) would look
> something like :
>
> host/server1.domain.com at REALM1
> service1/server1.domain.com at REALM1
> service2/server1.domain.com at REALM2
> service3/server1.domain.com at REALM3
>
> Essentially, the key in the key table which would be acquired by a
> specific application (a Kerberos service) maintains the shared-secret
> between the service and the realm.
>
> A user can be in one realm with one password. The services can be in
> multiple realms. When an application is run by a user and requests a
> service ticket it will get the ticket from the appropriate KDC for the
> realm.
>
> The part which is perhaps a little confusing is the approach used by
> a kerberos client to determine the KDC that issues the service ticket.
> Normally, the service ticket request is sent to the realm where the
> initial user's ticket (tgt) was issued, and then a cross realm tgt is
> returned for the service realm so that a service ticket can then be
> requested from the correct realm. The service ticket is then sent to
> the service and decrypted with the key in the key table in order to
> determine the principal name of the user.
>
> So, in summary - having multiple realms works well, but is more
> complex. The simplest approach is to use one realm for everthing, but
> this does not have the granularity that some implementations require.
> It is nice to have the option to use either approach to protect
> multiple applications on a specific host !!
>
> Regards, Tim.
>
> -----Original Message-----
> From: Sam Hartman [mailto:hartmans at MIT.EDU]
> Sent: 09 March 2004 17:09
> To: ms419 at freezone.co.uk
> Cc: kerberos at MIT.EDU
> Subject: Re: Different Services, Different Realms, but One Host
>
> >>>>> "ms419" == ms419 <ms419 at freezone.co.uk> writes:
>
> ms419> Pardon this newbish question, but here's the setup: I want
> ms419> to distribute the keys for one host among two
> ms419> realms. Basically, I've got a sensitive service running on
> ms419> a couple of hosts, and a less secure service running on the
> ms419> same hosts. I want to store the keys for the sensitive
> ms419> service in one realm, and the keys for the others in
> ms419> another. Any problems with these premises?
>
> Yes. Current Kerberos implementations assume a host belongs to one
> realm. You'll find it difficult to actually do this.
>
> Also, users will end up having multiple passwords which will be
> annoying.
>
> I recommend having one KDC which is more secure than your most
> sensitive service.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list