using kerberos to authenticate for a web api

Rick van Rein rick at
Tue Nov 5 10:32:39 EST 2013


Good to hear that this is integrated into Fedora and/or FreeIPA.
> gss_init_sec_context() against any service using the evidence ticket as
> proof to obtain new tickets. If the KDC allows you, that is.
Absolute freedom within the confines of Constrained Delegation.  Clear.
> So as long as the webmail app retains the ccache (passed through an
> apache environment variable) and uses it to init its connection, it will
> work.
Aj, that's not what I had in mind when I mentioned S4U2Proxy in relation 
to mod_auth_kerb.  You are making the ccache available to an environment 
wrought with ill-maintained (and regularly ill-written) code.  I would 
have expected a way to delegate a limited an outward credential, or 
better even, an API (like GSSAPI) to talk to by select scripts in a 
proxy-client role.

Am I mistaken, or does this approach say "hijack any script on this 
vhost (or under this location/directory) and gain access to all the 
backend services available to the user?

Rick van Rein

More information about the Kerberos mailing list