Goldrick, Jim wrote: > Hi all, > > I am working to modify a SSO app called Cosign. I want it to try to > authenticate to multiple realms. I actually have it doing that now. > However, someone has brought up a good question. Right now, I only have an > Active Directory realm and a Unix realm. However, if I want to add more Unix > realms, how do I transfer the keytab.cosign to other KDC's. I am thinking > that a kdb5_util load update would bring it into a different kdc. How can I > dump the single principal from the original KDC? Or is my thinking all wrong > here? > > Thanks much! > > jim
What you need to do is exchange cross-realm keys with the other realms whose principals you would like to be able to authenticate to your Cosign authenticated services. You do not want to provide the key entries associated with your cosign installation to anyone else. If you have done so, you should change the keys immediately. Anyone with access to the cosign keys can gain access to all of the Kerberos 5 TGTs for users that have logged into Cosign. Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos