Slightly confused by user-to-user authentication...

Chris Hecker checker at d6.com
Thu Jul 7 01:59:41 EDT 2011


> Sorry for the slow response time. krb5 user-to-user auth is a little
> off the beaten track of Kerberos usage, but this is the intended use
> case.

Awesome, thanks.  And yes, the entire reason I'm using Kerberos is to 
avoid rolling my own security protocol, so I'm glad I happened across 
the user-to-user stuff before starting the other thing.  :)

One more question about user-to-user:  the FAQ says that the "Clocks 
Adrift" paper's solution for not forcing clients to have synced clocks 
is implemented in krb5.  How does this relate to user-to-user sessions? 
  Or, am I misunderstanding?  It would be awesome to only have to have 
my servers synced, and have the clients be, well, clients, with random 
bad clocks, but if I want to user-to-user authenticate does that force 
them to be synced?

http://www.faqs.org/faqs/kerberos-faq/general/section-22.html

Thanks,
Chris

On 2011/07/06 10:35, Greg Hudson wrote:
> On Fri, 2011-07-01 at 15:33 -0400, checker wrote:
>> But, I happened across the user-to-user credentials stuff, and this
>> seems like it's the better way to go because it doesn't require both
>> clients to talk to the TGS, and it establishes just one session key
>> for both, rather than having two?  So, since both clients will have
>> tgts, I pick one to talk to the KDC to get the user-to-user
>> credentials and then they can authn each other?
>
>> Is that the right way to do this?  Is there anything to look out for here?
>
> Sorry for the slow response time.  krb5 user-to-user auth is a little
> off the beaten track of Kerberos usage, but this is the intended use
> case.
>
> If you don't use user-to-user auth, you will not be able to meaningfully
> request credentials from a at FOO.COM to b at FOO.COM if b does not have a
> keytab.  You would have to bootstrap a session key for the users using
> the server connections, which would amount to creating your own
> cryptographic security protocol, which is fraught with peril.  So if
> user-to-user auth can work for you, it's probably a better option.
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list