Unclear about Kerberos' Concepts
Greg Hudson
ghudson at MIT.EDU
Sat Oct 5 10:43:08 EDT 2013
On 10/05/2013 09:42 AM, Rick van Rein wrote:
> I am less clear about the difference between users and services though -- are these kinds of principals that we as users have in mind, or is it somelike "user is always a client" and/or "service is always a server" also carved in stone in the Kerberos system and its conceptual design?
The protocol does not distinguish strongly between users and services.
Implementations do, to varying extents.
> Or could a user contact a user; could a service contact a service; could a service contact a user?
It is common for a service to contact another service, after using its
long-term key to acquire a TGT. It is less common for a user or service
to contact a user, though it is possible.
> Delegation would be the way that I can tell a secretary, or a bot, to act on my behalf. Does this also fall under Constrained Delegation? In other words, can I setup krbAllowedToDelegateTo in LDAP and will CHECK_ALLOWED_TO_DELEGATE be called in such cases?
In Kerberos, delegation allows a service to act on your behalf to
another service. It is not common (or easy) to delegate credentials to
another principal which acts purely as a client, such as a secretary or bot.
More information about the Kerberos
mailing list