Kerberos protocol transition for linux?

S2 some.r at ndom.mail.invalid
Wed Nov 19 11:45:35 EST 2008


Michael B Allen wrote:
> If you have PHP see the link in my sig about Plexcel. It certainly
> could do what you describe.

The back end services are a mix of Java, .NET, php and rails apps (on 
windows and on linux servers), so the proxy should be language 
independent and not require a module on the application server side.
I am not sure I understood from the pdf how Plexcel works.
All application servers can already speak SPNEGO, so that should be used 
to forward the Kerbeos credentials over HTTP (I did read SPNEGO on that 
page, but I am not sure how it is used).
So what we would like to do is (fixed font required):

    O
   \|/          +-------------+         +-------------------+
    |  -------> | Magic proxy | ------> | Protected Service |
   / \   HTTP   +-------------+ SPNEGO  +-------------------+
  User                ^
from the             |
Internet             |
                      v
                   +-----+
                   | KDC |
                   +-----+

Do you think Plexcel could be the "Magic Proxy" Box?


> PS: The '.invalid' address in your email actually stops gmail from
> sending directly to you. You might want to try a valid TLD.

That email account is not valid anyway.



More information about the Kerberos mailing list