Jonathan Calmels <jcalm...@nvidia.com> writes: > Thank you for the suggestions, I didn't know about kimpersonate and this > would indeed solve part of the problem. The reason why I mentioned > libkadm5 is because we were thinking of relying on > "kadm5_get_principal_keys" instead of keytabs. This way we could also > reuse the kadm ACLs and have a rule like "gsshostservice@REALM e > */ci@REALM".
You can certainly do that, but just be aware that there's not much in the way of a security difference between that and keytabs. In theory it means the GSS service doesn't have access to all the user's keys at once but has to ask for them on demand, but if I were you I'd just colocate the GSS service with the KDC since the security model is essentially the same, at which point the KDC database is right there and there's really no particularly meaningful distinction. (I have implemented something akin to this before, and that's how I did it.) > Forging a cross-realm TGT would definitely be preferable, although I'm > not sure if it's doable with libkrb5. It should be doable, but you may have to use really low-level functions to duplicate what kimpersonate is doing. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
