Services4User review

Nicolas Williams Nicolas.Williams at
Sat Sep 5 03:12:46 EDT 2009

On Sat, Sep 05, 2009 at 08:46:36AM +0200, Luke Howard wrote:
> On 05/09/2009, at 5:10 AM, Greg Hudson wrote:
> >On Fri, 2009-09-04 at 17:49 -0400, Nicolas Williams wrote:
> >>Actually, S4U2Self and Proxy *both* are in the same boat: they can
> >>be used without new gss_*cred*() extentions because in both cases
> >>they  can be used solely through the delegated credentials returned
> >>by gss_accept_sec_context().
> >
> >That doesn't match my understanding.  As I understand it, the general
> >use case of S4U2Self is that you've authenticated a user by some
> >other means (like an X.509 certificate or a password over TLS) and
> >you  want to get a ticket as that user to examine the PAC information
> >or for use  with S4U2Proxy.  You never accepted a GSS security
> >context.  So you need gss_acquire_cred_impersonate_name to do
> >S4U2Self, but you can then  pass the resulting credentials to
> >gss_init_sec_context to do S4U2Proxy, without needing a second
> >extension.
> Yes, that is my understanding too.

Your page says:

Readers are referred to [MS-SFU] for protocol details, but the premise
behind S4U2Self is that a service requests a ticket from itself, to
itself, presenting some additional preauthentication data containing the
name of the user it has presumably authenticated. The KDC, after making
any access checks, returns a ticket with the client-name rewritten to
that in the preauthentication data. The server name is unchanged. 

It follows that one could use the initiator name from an established
security context.  Yes, that's twisting things around a bit.


More information about the krbdev mailing list