best way for a service to authn a client dynamically?

Chris Hecker checker at d6.com
Tue Aug 9 16:29:18 EDT 2011


Under normal krb5 usage, services don't talk to the KDC, they just use a 
keytab and deal with tickets.  However, since I have my nifty allow_tix 
patch allowing dynamic banning of clients, and my disallow_svr patch to 
require u2u creds, what's the best way for a service to talk to the KDC 
to see if the client is banned or not?

I assume it's just to call krb5_get_credentials like kvno.c does, except 
since I know my clients are restricted to u2u, I use the service as the 
creds.client, and the client as the creds.server, and pass 
KRB5_GC_USER_USER?

Hmm, wait, no, this would require the client to send the tgt.  Okay, it 
looks like I check -allow_tix before I check +disallow_svr, so I guess 
the best thing is to call krb5_get_credentials with the client as the 
creds.server, and it will either fail with 
KRB5KDC_ERR_MUST_USE_USER2USER if the account is in good standing, or 
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN if it's been banned.

I understand this will increase load on the KDC, but I'll worry about 
that later.

However, thinking about the performance, should I have the service set 
up with a ccache and a valid tgt, so getting this ticket is only a 
single round trip TGS_REQ?  Or, should I do this using the 
in_tkt_service param to krb5_get_init_creds_keytab and do it as an 
AS_REQ?  I assume it's better to do a TGS_REQ than an AS_REQ?  My 
services will be set up with -require_preauth, so both should be a 
single round trip, but it seems like a TGS_REQ will be less load on the KDC?

Thanks,
Chris





More information about the Kerberos mailing list