[37213] in Kerberos
Re: Fwd: Queries for Kerb Auth using Certificates and KCD for linux
daemon@ATHENA.MIT.EDU (Alan Braggins)
Tue Sep 1 14:36:36 2015
To: <kerberos@mit.edu>
From: Alan Braggins <alan.braggins@brocade.com>
Message-ID: <55E5F01F.20505@brocade.com>
Date: Tue, 1 Sep 2015 19:36:15 +0100
MIME-Version: 1.0
In-Reply-To: <87613ujgt4.fsf@hope.eyrie.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 01/09/15 16:32, Russ Allbery wrote:
> Amit Thukral <amit.thukral403@gmail.com> writes:
>
>> I am trying to implement kerberos authentication between clients and
>> windows KDC using certificates.
>
>> The product on which this needs to be implemented is a linux based
>> reverse proxy.
[...]
> If I'm understanding your problem description correctly, I'm not sure this
> is possible. To get Kerberos tickets from a certificate (aka PKINIT), the
> client that has access to the certificate private key needs to do this
> directly. An intermediate cannot do this, since it doesn't have access to
> the certificate private key. So if you're trying to get the Linux reverse
> proxy to do the authentication on behalf of the user, that isn't going to
> work.
There's also constrained delegation, where the client authenticates to
the proxy using TLS client certificates or some other protocol and then
the proxy is trusted to get tickets on behalf of the clients, but it
doesn't sound like that's what he wants to do either.
--
http://www.brocade.com/products/all/application-delivery-controllers/index.page
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
