Slightly confused by user-to-user authentication...
Greg Hudson
ghudson at MIT.EDU
Wed Jul 6 13:35:36 EDT 2011
On Fri, 2011-07-01 at 15:33 -0400, checker wrote:
> But, I happened across the user-to-user credentials stuff, and this
> seems like it's the better way to go because it doesn't require both
> clients to talk to the TGS, and it establishes just one session key
> for both, rather than having two? So, since both clients will have
> tgts, I pick one to talk to the KDC to get the user-to-user
> credentials and then they can authn each other?
> Is that the right way to do this? Is there anything to look out for here?
Sorry for the slow response time. krb5 user-to-user auth is a little
off the beaten track of Kerberos usage, but this is the intended use
case.
If you don't use user-to-user auth, you will not be able to meaningfully
request credentials from a at FOO.COM to b at FOO.COM if b does not have a
keytab. You would have to bootstrap a session key for the users using
the server connections, which would amount to creating your own
cryptographic security protocol, which is fraught with peril. So if
user-to-user auth can work for you, it's probably a better option.
More information about the Kerberos
mailing list