[37559] in Kerberos
Resource based kerberos constrained delegation
daemon@ATHENA.MIT.EDU (Martin Burkhart)
Tue Jul 5 12:59:54 2016
From: Martin Burkhart <martin.burkhart@ergon.ch>
Date: Mon, 4 Jul 2016 16:08:14 +0200
Message-Id: <E243302D-4E4E-4EEF-B64B-3AC2EEF83B5B@ergon.ch>
To: ghudson@mit.edu
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Greg
I am the product manager of the Single Sign-on solution Airlock. We are interested in adding support for resource based Kerberos constrained delegation (RBKCD) to our solution but currently miss the corresponding feature in krb5-libs. You have been discussing this before with Stefan Dietiker (see below). Therefore, I’d like to ask a couple of questions:
- According to your experience, what’s the estimated effort for adding RBKCD to krb5-libs?
- Is RBKCD somewhere on the roadmap?
- Is there a way of sponsoring a feature?
Thanks in advance for your time
Best regards
Martin
--
Dr. Martin Burkhart
Head of Product Management
Application Security
https://www.airlock.com
martin.burkhart@ergon.ch +41 44 268 83 27
Ergon Informatik AG, Merkurstrasse 43, CH-8032 Zürich
http://www.ergon.ch
______________________________________________________________
e r g o n smart people - smart software
> -----Ursprüngliche Nachricht-----
> Von: Greg Hudson [mailto:ghudson@mit.edu]
> Gesendet: Dienstag, 28. Juni 2016 16:59
> An: Stefan Dietiker <stefan.dietiker@ergon.ch>; kerberos@mit.edu
> Betreff: Re: AW: Resource based kerberos constrained delegation
>
> On 06/28/2016 06:03 AM, Stefan Dietiker wrote:
>> A few months ago I have asked you whether it is possible with
>> krb5-libs to do Resource Based Kerberos Constrained Delegation or not.
>> You mentioned that the Kerberos libs does not include the
>> PA-PAC-OPTIONS which are required for this purpose. Recently I was
>> tracking the changes in the git repo and realized that a new option
> "--request-pac" is available.
>
> I don't believe this change bears any relation to resource based
> constrained delegation. PA-PAC-REQUEST is different from PA-PAC-OPTIONS.
>
> (I would also assume there is substantially more to implementing resource
> based constrained delegation on the client than just sending the
> PA-PAC-OPTIONS bit, or there would be no reason to have the bit in the
> protocol.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
