User delegation in Kerberos V5

fantoosh@hotmail.com fantoosh at hotmail.com
Sat Dec 17 00:09:36 EST 2005


Hi,

I am wondering if I can do the following in Kerberos (any flavours).

I am a user of some realm. I have a friend Alice who is not a user of
my realm nor is a user of any other Kerberos realm.

How can I give access to Alice to some of the files stored on a
Kerberized file server?

In otherwords can I somehow delegate my permissions (token) to Alice so
that she can use that token to authenticate with the server. I don't
want to do proxy delegation since I don't want Alice to act on my
behalf.

I was thinking that it might be possible in Public key based Kerberos
PKDA or PKINIT.

I browsed for a while but could not find any document that said that in
Kerberos a user can delegate his/her token to another user. Any
pointers?

PS: Is public key based Kerberos used in practice?

Thanks.



More information about the Kerberos mailing list