[kitten] Token Preauth for Kerberos
Simo Sorce
simo at redhat.com
Tue Jun 17 08:43:29 EDT 2014
On Tue, 2014-06-17 at 05:35 +0000, Zheng, Kai wrote:
> >> You need to modify something anyway, constrained delegation sound
> like a better way than trying to devise a whole new pre-auth plugin.
> As far as I know s4u2self & s4u2proxy plus contrained delegation are
> from MS and I'm not sure we could modify it as we need. A new
> token-preauth based on existing Kerberos and framework is more
> preferred for us since the plugin is easy to deploy, also we believe
> the mechanism using JWT token will open the door to integrate Kerberos
> with OAuth.
I think AD data can be added with s4u2self/s4u2proxy as well, what other
modifications do you have in mind ?
> >>However you should only transmit the authorization data, not the
> whole token, otherwise you destroy every single security property of
> Kerberos.
> >>I can't see any krb admin as accepting something like that.
> Yes I agree. As discussed with Greg and also said here in my previous
> email, we will not pass the token itself to service, instead token
> attributes or the derivation that can't be used to authenticate with
> KDC.
Do you have a standardized AD element in mind, or are you going to
define a new one ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list