---- Original message ---- >Date: Tue, 24 Oct 2006 15:50:58 -0500 (CDT) >From: Jacob Yocom-Piatt <[EMAIL PROTECTED]> >Subject: Re: krb5 login help >To: misc@openbsd.org > >>The next problem is that I don't control the server (I'm trying to >>authenticate my departmental server against the university-wide >>kerberos server). I'll dig into google on that one, but on a >>conceptual note, don't I just need to have their key stored on my >>client and not vice versa? This should be a one-way trust (me >>trusting them, not vice-versa), right? Or are there security >>implications that I'm not understanding with Kerberos? >>
oops, i may have misunderstood your post in my first response. from the sound of it, you want to do cross realm authentication. i am guessing that your setup is as below DEPT.WASHINGTON.EDU = your realm, WASHINGTON.EDU = whole university realm you control the DEPT.WASHINGTON.EDU kdc and want users with DEPT.WASHINGTON.EDU tickets to be able to authenticate against WASHINGTON.EDU. add a principal krbtgt/[EMAIL PROTECTED] to both the DEPT.WASHINGTON.EDU kdc and the WASHINGTON.EDU kdc. the key for this principal needs to be identical on both hosts. this should give one way trust and not allow WASHINGTON.EDU ticket holders to get into the DEPT.WASHINGTON.EDU show. you will certainly need to work with the admin for the WASHINGTON.EDU realm to get this working. google for "cross realm authentication heimdal" to dig up more info. cheers, jake