multiple realm membership

Randy Turner rturner at amalfisystems.com
Thu Feb 16 12:06:17 EST 2006


Yes, cross-realm authentication would be much easier for this  
particular host to handle.
However, I can't guarantee that these individual realms will have any  
type of trust relationship with each other.

It's kinda like where you have your ISP account, your MSN-IM  
credentials, and possibly your Yahoo credentials. The individual has  
three relationships (one per service provider), but these service  
providers do not know about each other.

Thanks!
Randy

On Feb 16, 2006, at 8:54 AM, Paul B. Hill wrote:


> Instead of answering your question I have to ask an orthogonal  
> question.
>
> Is there some reason you can't instead try to use cross realm  
> authentication
> to meet your needs?
>
> If the various realms are each set up for cross realm  
> authentication, then
> it seems that it would be much simpler to manage your host's  
> identity and
> the client libraries will have a much easier time of properly
> authenticating.
>
> Paul
>
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On  
> Behalf
> Of Randy Turner
> Sent: Thursday, February 16, 2006 11:31 AM
> To: Kerberos at mit.edu
> Subject: multiple realm membership
>
>
> Hello,
>
> I was wondering if the following use-case for Kerberos is valid:
>
> I have a host that wants to be a member of multiple realms
> simultaneously.
>
> When a host boots, it will obtain TG tickets from all ticket-granting
> servers that it is configured to know about. Essentially logging into
> to all realms for which the host has valid credentials
>
> This is all that has to be done if the host has no kerberized
> services that it wants to offer. At this point, if there is a client
> application on the host that wants to connect to a remote service in
> one of the realms, it selects the right TGT to use and obtains a
> ticket from the KDC/TGS that is associated with the target realm.
>
> If a host wants to offer kerberized services to potential clients,
> these clients could be attempt to access the services from any of the
> realms for which the host is a member. I'm assuming this means the
> host would have to keep <n> keytabs that are sync'd with the KDC from
> each realm. Also, if a remote client sends a service ticket
> requesting access to a service, the host needs to know from what
> realm the request is coming from in order to select the right keytab
> to decrypt the ticket. Is there unencrypted portions of the ticket
> that can be used to find out from what realm the request is coming
> from ?
>
> I guess I'm curious if there are precedents for having a host
> maintaining simultaneous connectivity to multiple realms and have a
> set of username/password credentials for each of these realms?
>
> I'm curious if MIT-Kerberos even supports this type of scenario?
>
> Thanks in advance for any insight into this use case?
> Randy
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>





More information about the Kerberos mailing list