Getting started

Derek Atkins derek at
Tue Jul 8 22:22:07 EDT 2003

Harvey Kravis <harvey.kravis at> writes:

> I have several related questions:
> 1)  I have a client/server database application and would like to
> authenticate w/Kerberos independently of the database.  In other words, I
> just want to authenticate with Kerberos and will handle database
> authentication separately.  The question I have is this:  is getting a TGT
> through my application sufficient authentication?  

No.  Just obtaining a TGT is not sufficient.  An attacker could pose
as a KDC and thereby gain a "TGT".

>    Or do I also need to have
> a homegrown server app grant me a regular ticket?  

Yes, this is what you need to do for real security.

>     It seems to me that a TGT
> is sufficient because it is username/password based, my users have to enter
> a username and password each time they log in, and I'd like to avoid the
> complexity of the socket thing and granting regular tickets.  Each Kerberos
> user relates to a corresponding database user.  All of the database users
> will have the same password known only to my program.

Well, I'm not sure what you're trying to do here.  Just obtaining a TGT
is not sufficient.  Basically, your application is asking some network
service to send it some data that the user can decrypt, and if it decrypts
you have a TGT.  The problem is that doesn't actually let you know that
you got a response from the _real_ KDC.  See above about posing as a KDC.

The only secure way to use Kerberos is to first obtain a TGT, and THEN use
that TGT to obtain a service ticket known to the login service (or to your
application).  Once you've gone that far, why not just use the TGT (already
obtained) to secure your application?

> 2) If I want to provide single sign-on in the future, is there a way to
> programmatically determine which Kerberos user the current TGT is for under
> the above scenario?  I need to know which database user to log in with in
> that situation.

Yes, determining the principal in the TGT is easy.

> 3) Is there good sample code out there that anyone can recommend?  I have
> the "Kerberos, A Network Authentication System" book by Brian Tung, but I'm
> looking for something better.

Take a look at the kerberized login program, or pam_krb5, or lots of
other KRB5 services.

> 4) What's a good source of information for doing this kind of authentication
> (Kerberos independent of the database) in a web (.NET) application?

Don't know what to tell you.   Find a consultant?  :)

> Any help would be appreciated!
> Harvey Kravis
> SunGard BSR Inc.


       Derek Atkins                 617-623-3745
       derek at   
       Computer and Internet Security Consultant

More information about the krbdev mailing list