derek at ihtfp.com
Tue Jul 8 22:22:07 EDT 2003
Harvey Kravis <harvey.kravis at sungardbsr.com> writes:
> I have several related questions:
> 1) I have a client/server database application and would like to
> authenticate w/Kerberos independently of the database. In other words, I
> just want to authenticate with Kerberos and will handle database
> authentication separately. The question I have is this: is getting a TGT
> through my application sufficient authentication?
No. Just obtaining a TGT is not sufficient. An attacker could pose
as a KDC and thereby gain a "TGT".
> Or do I also need to have
> a homegrown server app grant me a regular ticket?
Yes, this is what you need to do for real security.
> It seems to me that a TGT
> is sufficient because it is username/password based, my users have to enter
> a username and password each time they log in, and I'd like to avoid the
> complexity of the socket thing and granting regular tickets. Each Kerberos
> user relates to a corresponding database user. All of the database users
> will have the same password known only to my program.
Well, I'm not sure what you're trying to do here. Just obtaining a TGT
is not sufficient. Basically, your application is asking some network
service to send it some data that the user can decrypt, and if it decrypts
you have a TGT. The problem is that doesn't actually let you know that
you got a response from the _real_ KDC. See above about posing as a KDC.
The only secure way to use Kerberos is to first obtain a TGT, and THEN use
that TGT to obtain a service ticket known to the login service (or to your
application). Once you've gone that far, why not just use the TGT (already
obtained) to secure your application?
> 2) If I want to provide single sign-on in the future, is there a way to
> programmatically determine which Kerberos user the current TGT is for under
> the above scenario? I need to know which database user to log in with in
> that situation.
Yes, determining the principal in the TGT is easy.
> 3) Is there good sample code out there that anyone can recommend? I have
> the "Kerberos, A Network Authentication System" book by Brian Tung, but I'm
> looking for something better.
Take a look at the kerberized login program, or pam_krb5, or lots of
other KRB5 services.
> 4) What's a good source of information for doing this kind of authentication
> (Kerberos independent of the database) in a web (.NET) application?
Don't know what to tell you. Find a consultant? :)
> Any help would be appreciated!
> Harvey Kravis
> SunGard BSR Inc.
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the krbdev