Advice on cross-realm PKINIT?

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Mon Jun 9 21:30:46 EDT 2014


>  The "problem" is that other "invariants" are violated by using AS for x-
> realm, as I mentioned earlier.

What kinds of issues are these invariant violations likely to cause? Would it be an obstacle to using the TGT to get services in the domain that issued it?

> Nonthing that can't be overcome, and my idea
> is to use TGS anyways, but with a PKINIT pre-auth instead of PA-TGS, and
> with a "cross-realm"
> certificate (really, a cert issued most-likely by a kx509 CA -- an issuer that
> wouldn't be part of the target TGS' issuers for its realm's client principals).

I have to re-read your PKCROSS draft. It's been a while. What I'm angling for here is a means to support mechanism 3 on this page: http://www.freeipa.org/page/Collaboration_with_Kerberos (Logging in with a SASL/GSSAPI client). Essentially, I need to issue a TGT to nonkerberos identities, which requires synthesizing a foreign Kerberos cname/crealm.

Bryce





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.



More information about the Kerberos mailing list