using kerberos to authenticate for a web api
Rick van Rein
rick at openfortress.nl
Tue Nov 5 10:32:39 EST 2013
Hello,
Good to hear that this is integrated into Fedora and/or FreeIPA.
> gss_init_sec_context() against any service using the evidence ticket as
> proof to obtain new tickets. If the KDC allows you, that is.
>
Absolute freedom within the confines of Constrained Delegation. Clear.
> So as long as the webmail app retains the ccache (passed through an
> apache environment variable) and uses it to init its connection, it will
> work.
>
Aj, that's not what I had in mind when I mentioned S4U2Proxy in relation
to mod_auth_kerb. You are making the ccache available to an environment
wrought with ill-maintained (and regularly ill-written) code. I would
have expected a way to delegate a limited an outward credential, or
better even, an API (like GSSAPI) to talk to by select scripts in a
proxy-client role.
Am I mistaken, or does this approach say "hijack any script on this
vhost (or under this location/directory) and gain access to all the
backend services available to the user?
Rick van Rein
OpenFortress
More information about the Kerberos
mailing list