>>>>> "denis" == denis havlik <[EMAIL PROTECTED]> writes:
denis> If Mr. [EMAIL PROTECTED] sits in company B, than he'll already hace a TGT
denis> from B's KDC, and he'll be trusted to really be Mr. [EMAIL PROTECTED] in
denis> company A, but what happens if he tries to get a TGT while
denis> "roaming" in company A? Is he supposed to directly contact
denis> company B KDC, or will the company A KDC do this for him?
He'll need to contact the company B KDC himself.
There are a variety of proposals for getting these credentials while
talking to network authentication infrastructure--for example, getting
credentials as part of DHCP. This is desirable because you might wish
to require authentication before authorizing network access. But
these proposals are not as mature as one might like.
denis> Am I right to assume that all the KDCs have to be visible
denis> from all the places in order for cross-realm auth. to work
denis> correctly? That is, KDCs must have a public IP address, and
denis> firewalls must allow access to udp 88 & udp>1024 to fetch a
denis> TGT?
Yes. The KDC software needs to be audited very carefully to make sure
it is safe with this level of access. I believe all the KDC vendors I
know of understand this and consider KDC security very important.
>> But most instances of pam_krb5 assume they can convert a login
>> name to a Kerberos principal simply by appending a default
>> realm. This is not inherent; you simply need to decide what
>> behavior you want and write code to accomplish it.
denis> OK, so it boils down to "rewrite pam_krb5 to try all realms
denis> defined in /etc/ krb5.conf? Any idea how much work that
denis> would be?
That would certainly work. There are also approaches that allow
people to type in [EMAIL PROTECTED] at login and strip the realm.
I think doing a quick hack to try a number of realms would probably
take a day or so once you understand pam_krb5. Fortunately, most of
the pam_krb5 implementations are relatively simple.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
