temporarily granting a TGT for a client coming in with a 3rd party authn system

Greg Hudson ghudson at mit.edu
Fri Nov 17 13:39:28 EST 2017

On 11/17/2017 11:20 AM, Chris Hecker wrote:
> - I don't want to give them the key to their krb account because I don't
> want them to be able to log into any of my other kerberized services, so I
> think I'd like to request a TGT for them on the server and then send it to
> the client. This way they can install it and use it to get u2u tickets, or
> tickets to other services.

It seems like a TGT would allow them the same access to other kerberized
services as the key would, though only for the lifetime of the TGT.

> - Can I just do this, and send the TGT to the client and have them install
> it with krb5_cc_store_cred? I do a similar thing with krb5_cc_retrieve_cred
> to get the tgt for u2u?  Does there have to be an AS request to establish a
> session key, or does there need to be a key installed on the client to use
> the TGT correctly?

The client needs the session key of the ticket in order to use it.  You
can transmit that as well, but will need to do so over an encrypted
channel.  krb5_mk_1cred() will package up a credential (ticket and
session key) and encrypt it using an auth context.

> - If this isn't going to work, what are my options here?

One potential building block is S4U2Self (aka "Protocol Transition"),
where a service can request a ticket from an arbitrary user to itself
after authenticating the user with a different auth protocol.  But I
don't think you could easily bootstrap from there to U2U communication
between the clients.

More information about the Kerberos mailing list