Question on validating Kerberos Ticket (From one machine to another)
Russ Allbery
rra at stanford.edu
Tue Jun 26 18:18:15 EDT 2007
first last <swtest9 at yahoo.com> writes:
> Here is the scenario. I want to piggyback onto the authentication
> mechanism in place. For my purposes, Windows Active Directory. So here
> is the picture which assumes authenticated Windows client:
> Windows Client Linux Client Active Directory (KDC)
> -------------- ------------ ----------------------
> | | |
> |--------------------->| |
> | Transfer credentials | |
> | | |
> | |--------------------->|
> | | Present credentials |
> | | |
> | |<---------------------|
> | | Valid/Invalid |
I'm fairly sure that this isn't really the answer that you want to get,
but most people on this list are probably going to tell you that a secure
design here requires authenticating the Windows Client to the Linux Client
using something like GSSAPI. GSSAPI is the recommended way of doing
Kerberos authentication on the network; it's possible to use the raw
Kerberos v5 calls, and some protocols do that, but GSSAPI is
better-supported.
If you use GSSAPI to protect the connection between the Windows Client and
the Linux Client, the verification of credentials against AD will happen
"automatically" as part of the GSSAPI authentication exchange between the
two systems.
BTW, this question, since it's not really about developing MIT Kerberos
itself, is probably better suited for the kerberos at mit.edu mailing list.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list