question on keytabs

Jeffrey Altman jaltman2 at nyc.rr.com
Wed Oct 12 20:06:52 EDT 2005


Goldrick, Jim wrote:

> Hi all,
> 
> I am working to modify a SSO app called Cosign.  I want it to try to authenticate to multiple realms.  I actually have it doing that now.  However, someone has brought up a good question.  Right now, I only have an Active Directory realm and a Unix realm.  However, if I want to add more Unix realms, how do I transfer the keytab.cosign to other KDC's.   I am thinking that a kdb5_util load update would bring it into a different kdc.  How can I dump the single principal from the original KDC?  Or is my thinking all wrong here?
> 
> Thanks much!
> 
> jim

What you need to do is exchange cross-realm keys with the other realms
whose principals you would like to be able to authenticate to your
Cosign authenticated services.

You do not want to provide the key entries associated with your cosign
installation to anyone else.  If you have done so, you should change the
keys immediately.   Anyone with access to the cosign keys can gain
access to all of the Kerberos 5 TGTs for users that have logged into
Cosign.

Jeffrey Altman


-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list