	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos Tickets

To: Brett Lomas <b.lomas@xxxxxxxxxxxxxx>
Subject: Re: Kerberos Tickets
From: kevin mcgowan <clunis@xxxxxxxxx>
Date: Wed, 31 Mar 2004 13:35:40 -0500
Cc: <cosign-discuss@xxxxxxxxx>
In-reply-to: <20040331032042.D3B973472F@smtp1.ec.auckland.ac.nz>
References: <20040331032042.D3B973472F@smtp1.ec.auckland.ac.nz>

On Mar 30, 2004, at 10:20 PM, Brett Lomas wrote:

Thanks for the reply on the hardware and all, very helpful.

glad to help. I trust Johanna's reply was helpful too?

CoSign and Kerberos question. When an application requests a Kerberos ticket (the RETRIEVE command to cosignd) it appears to be allowed to specify the ticket name (eg imap/imap.auckland.ac.nz@xxxxxxxxxxxxxx). This looks to be a service account (in the examples I have seen), does this mean that a service ticket is passed back to the application, and not a/the TGT the cosign CGI obtained to authenticate the user?

That's the eventual plan, Brett, but currently it is the TGT that is returned. You'll note the 0/1 in cosign.conf to determine whether a service can request Kerberos credentials? In theory this could eventually be a list of services for which a service is allowed to request service tickets (e.g. mail can ask for imap, directory can ask for ldap, etc.). We were sure, during early development, that not distributing the TGT would be a major feature requirement. So far it just hasn't been (for us, anyway).

Is this a make or break feature for your site?

Kevin

Follow-Ups:
- RE: Kerberos Tickets
  - From: Brett Lomas

References:
- Kerberos Tickets
  - From: Brett Lomas

Prev by Date: Kerberos Tickets
Next by Date: RE: Kerberos Tickets
Previous by thread: Kerberos Tickets
Next by thread: RE: Kerberos Tickets
Index(es):
- Date
- Thread