Peer to Peer instead of Client to Server
jhutz at cmu.edu
Mon Apr 7 15:00:55 EDT 2008
--On Monday, April 07, 2008 01:30:42 PM -0500 "Douglas E. Engert"
<deengert at anl.gov> wrote:
> This sounds like user2user. DCE had it and Windows has had it for
> years. There where some IETF Kerberos and GSSAPI drafts written
> by Microsoft, but never caried forward. Globus could do it through
> GSSAPI, using its GSI and there where mods to Kerberos to support
> user2user so Globus could call GSSAPI/Kerberos.
Kerberos does U2U; see RFC4120 section 3.7 for details.
However, it's not clear to me that this application requires U2U, the main
feature of which is that it permits authentication to a "server" which has
a current TGT but does not know its long-term key. In the described
application, the servers all have keytabs and currently do not run with
tickets, so U2U really doesn't apply here.
More information about the krbdev