temporarily granting a TGT for a client coming in with a 3rd party authn system

Chris Hecker checker at d6.com
Fri Nov 17 11:20:51 EST 2017


(Once more, with feeling...and also hopefully acceptable-to-mailman
formatting.)

This is all kind of half-baked, so bear with me while I think out-loud:

- I am using kerberos for my game's authn with clients and a server.
Clients have connections to the server, and then also p2p connections to
each other, and I use u2u tickets for those.  This all works swimmingly.  I
<3 kerberos.

- I am now integrating a 3rd party authn system (Steam). This system also
uses sessions and tickets and whatnot but they're not kerberos tickets, so
I'm going to need to translate somehow, and I want this to all be seamless
so a Steam user doesn't know they aren't a normal kerberos user (until they
try something Steam doesn't support, but that's a different topic).

- I think what I want to do is when a Steam user connects to the server for
the first time with a Steam ticket, I authenticate it with Steam, and then
create a kerberos user for that Steam user. I don't want to require people
to pick a username or password or anything, so I want to generate a unique
krb username for this user <steamid>/steam or something (and I'll use princ
aliases if they want to pick another name later), and then also generate a
randkey.

This is where it gets interesting...

- I don't want to give them the key to their krb account because I don't
want them to be able to log into any of my other kerberized services, so I
think I'd like to request a TGT for them on the server and then send it to
the client. This way they can install it and use it to get u2u tickets, or
tickets to other services.

- Can I just do this, and send the TGT to the client and have them install
it with krb5_cc_store_cred? I do a similar thing with krb5_cc_retrieve_cred
to get the tgt for u2u?  Does there have to be an AS request to establish a
session key, or does there need to be a key installed on the client to use
the TGT correctly?

- If this isn't going to work, what are my options here? I'd like to keep
everything except the initial login working with my current kerberos
system, so I'd really like to get a Steam user a temporary kerberos ticket
as early as possible so I don't have to handle many special cases. I'd like
to avoid sending a full key to the client because they could then use that
to log into my other kerberos services unless I implemented some kind of
authz stuff that I'd like to avoid for now.

Thoughts?

Thanks!
Chris


More information about the Kerberos mailing list