cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos Tickets
On Mar 30, 2004, at 10:20 PM, Brett Lomas wrote:
Thanks for the reply on the hardware and all, very helpful.
glad to help. I trust Johanna's reply was helpful too?
CoSign and Kerberos question. When an application requests a Kerberos
(the RETRIEVE command to cosignd) it appears to be allowed to specify
ticket name (eg imap/imap.auckland.ac.nz@xxxxxxxxxxxxxx). This looks
to be a
service account (in the examples I have seen), does this mean that a
ticket is passed back to the application, and not a/the TGT the cosign
obtained to authenticate the user?
That's the eventual plan, Brett, but currently it is the TGT that is
returned. You'll note the 0/1 in cosign.conf to determine whether a
service can request Kerberos credentials? In theory this could
eventually be a list of services for which a service is allowed to
request service tickets (e.g. mail can ask for imap, directory can ask
for ldap, etc.). We were sure, during early development, that not
distributing the TGT would be a major feature requirement. So far it
just hasn't been (for us, anyway).
Is this a make or break feature for your site?