best way for a service to authn a client dynamically?
Chris Hecker
checker at d6.com
Tue Aug 9 16:29:18 EDT 2011
Under normal krb5 usage, services don't talk to the KDC, they just use a
keytab and deal with tickets. However, since I have my nifty allow_tix
patch allowing dynamic banning of clients, and my disallow_svr patch to
require u2u creds, what's the best way for a service to talk to the KDC
to see if the client is banned or not?
I assume it's just to call krb5_get_credentials like kvno.c does, except
since I know my clients are restricted to u2u, I use the service as the
creds.client, and the client as the creds.server, and pass
KRB5_GC_USER_USER?
Hmm, wait, no, this would require the client to send the tgt. Okay, it
looks like I check -allow_tix before I check +disallow_svr, so I guess
the best thing is to call krb5_get_credentials with the client as the
creds.server, and it will either fail with
KRB5KDC_ERR_MUST_USE_USER2USER if the account is in good standing, or
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN if it's been banned.
I understand this will increase load on the KDC, but I'll worry about
that later.
However, thinking about the performance, should I have the service set
up with a ccache and a valid tgt, so getting this ticket is only a
single round trip TGS_REQ? Or, should I do this using the
in_tkt_service param to krb5_get_init_creds_keytab and do it as an
AS_REQ? I assume it's better to do a TGS_REQ than an AS_REQ? My
services will be set up with -require_preauth, so both should be a
single round trip, but it seems like a TGS_REQ will be less load on the KDC?
Thanks,
Chris
More information about the Kerberos
mailing list