Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Proxiable tickets

37 views
Skip to first unread message

Frank Taylor

unread,
Dec 16, 2003, 9:57:45 AM12/16/03
to
All,

I am building an application that uses Kerberos internally to
authenticate usage of back end resources. In a move to improve
internal auditing I'd like to use proxy tickets to handle delegation
of rights from a user to an intermediary service. Specifically I'd
like to delegate LDAP access to a web application for a user.

The plan is that the user's agent will generate a proxiable LDAP
ticket that it hands to the web application. The web application
(implmented in J2EE using JSPs and EJBs) will then generate the
required authenticators to connection to LDAP when required.

Whilst I believe this is how it should work in theory, I am lost as to
how to implement this in practice. Specifically, I am not sure exactly
what should be passed from the client to the web application...
rfc1510 talks about passing the "proxy", but does not define what this
is? Is it the TGS REPLY, or is it the underlying ticket?

Has anyone done anything like this? The Kerberos FAQ says that
proxiable tickets are not often used.

Can anyone point me towards information of programming for proxiable
tickets?

I am using jKrb5 (the java-kerberos library) to prototype the
interactions.

Is there a better solution?

Thanks,

Frank Taylor.

Douglas E. Engert

unread,
Dec 17, 2003, 10:17:30 AM12/17/03
to kerb...@mit.edu
Another approach is to use the KX509 from the University of Michigan.
It is used to get a X509 certificate from a KCA server using Kerberos
authentication. The certificate is usually good for one day.

The certificate and key can be used from IE or Netscape, and the kx509
can run on Windows, UNIX or MAC.

http://www.citi.umich.edu/projects/kerb_pki/

The nice feature of this is the Web servers are already setup to
use certificates, so these an be used with IIS, or SUNOne for example.

The above certificates can be used for delegation, but their KCT
package says it can. I have not tried the KCT.)

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Frank Taylor

unread,
Dec 17, 2003, 11:57:58 AM12/17/03
to
goo...@lieder.me.uk (Frank Taylor) wrote in message news:<d777a3ae.0312...@posting.google.com>...

> Whilst I believe this is how it should work in theory, I am lost as to
> how to implement this in practice. Specifically, I am not sure exactly
> what should be passed from the client to the web application...
> rfc1510 talks about passing the "proxy", but does not define what this
> is? Is it the TGS REPLY, or is it the underlying ticket?

A more thorough reading of rfc1510 reveals the KRB_CRED message, for
sending Credentials protected by an existing session key.

Using the java-kerberos API I can make a KRB_CRED (it's a little but
fiddly), but I now don't get how to turn the serialised KRB_CRED back
into a Credentials. Using this API, the only way to create a
Credentials requires a KDCRep object.

Anyone with experience of this?

My only hope of continuing is to update the library with a new
Credentials constructor that takes a KRBCred.

Thanks,

Frank.

Sam Hartman

unread,
Dec 17, 2003, 5:21:48 PM12/17/03
to kerb...@mit.edu
You should push a krb_cred message containing the ticket you wish to
proxy from the web client to the web application.
0 new messages