PROXY tickets and GSSAPI
Steven Michaud
smch at midway.uchicago.edu
Wed Jun 26 13:11:00 EDT 2002
I've done more-or-less what you describe, as part of an
as-yet-unfinished Web-Kerberization project. (The client (a Java
applet or a Netscape plugin) kinits and then does a GSSAPI
authentication to what I call a "Kerberos Helper" daemon, forwarding
the user's credentials as part of the process. The Kerberos Helper
daemon puts the credentials into a ticket cache in a special location,
where an authentication plugin to some other service (e.g. UW IMAPD or
Apache) can find it and use its contents to authenticate the user.)
I did have to "break" the GSS abstraction (which of course you also
have to do in order to kinit). But I don't think my method is _too_
ugly. Basically, my Kerberos Helper daemon uses "Krb5 API" calls to
create a ticket cache (krb5_init_context, krb5_cc_resolve,
krb5_cc_initialize and the like). Then it uses a GSSAPI extension
that I found in the MIT distribution (gss_krb5_copy_ccache) to copy
the forwarded credentials to the cache. My authentication plugins use
yet another GSSAPI extension (gss_krb5_ccache_name) to temporarily
change the location of the default ticket cache, then use standard
GSSAPI calls to check its contents.
I also used forwardable credentials instead of proxiable ones.
On Wed, 26 Jun 2002, Wyllys Ingersoll wrote:
>
> I have a scenario where I would like to have a GSSAPI-based server
> receive creds from a client and then act as a "proxy" by assuming the
> clients identity (the initial client sent delegated creds with the
> PROXIABLE flags set)
> to access a third service.
>
> However, this does not seem possible given the current GSSAPI without
> breaking the GSS abstraction layer in the intermediate server and
> directly manipulating
> the Kerberos creds. Has anyone done something similar or know if it would
> be possible without alot of ugly hacks that break the barrier between
> GSSAPI and KRB5 ?
>
> -Wyllys Ingersoll
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
>
More information about the krbdev
mailing list