Unclear about Kerberos' Concepts

Greg Hudson ghudson at MIT.EDU
Sat Oct 5 10:43:08 EDT 2013


On 10/05/2013 09:42 AM, Rick van Rein wrote:
> I am less clear about the difference between users and services though -- are these kinds of principals that we as users have in mind, or is it somelike "user is always a client" and/or "service is always a server" also carved in stone in the Kerberos system and its conceptual design?

The protocol does not distinguish strongly between users and services. 
Implementations do, to varying extents.

> Or could a user contact a user; could a service contact a service; could a service contact a user?

It is common for a service to contact another service, after using its 
long-term key to acquire a TGT.  It is less common for a user or service 
to contact a user, though it is possible.

> Delegation would be the way that I can tell a secretary, or a bot, to act on my behalf.  Does this also fall under Constrained Delegation?  In other words, can I setup krbAllowedToDelegateTo in LDAP and will CHECK_ALLOWED_TO_DELEGATE be called in such cases?

In Kerberos, delegation allows a service to act on your behalf to 
another service.  It is not common (or easy) to delegate credentials to 
another principal which acts purely as a client, such as a secretary or bot.



More information about the Kerberos mailing list