[23752] in Kerberos
Cross-Realm Authentication
daemon@ATHENA.MIT.EDU (Darren Hoch)
Fri Apr 22 00:21:14 2005
Message-ID: <42687B87.2030604@litemail.org>
Date: Thu, 21 Apr 2005 21:20:23 -0700
From: Darren Hoch <darren.hoch@litemail.org>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello Kerberos Gurus,
I am giving a pretty lengthy presentation on Sun Kerberos next week and
I want to make sure I have the correct understanding of how cross-realm
authentication works.
Domain1: EXAMPLE.COM
Domain2: EXAMPLE1.COM
1) The user darren@EXAMPLE.COM wants to telnet to
host/foo.example1.com@EXAMPLE1.COM using cross-realm authentication.
2) Both the KDC's host/kdc.example.com@EXAMPLE.COM and
host/kdc.example1.com@EXAMPLE1.COM create
krbtgt/EXAMPLE.COM@EXAMPLE1.COM and vice-versa principals in a direct
cross-real trust.
3) The user darren@EXAMPLE.COM issues the following command:
bar.example.com$ telnet -a -f -x foo.example1.com
4) From here, host/bar.example.com contacts the KDC for EXAMPLE.COM
looking for a cross-realm trust of host/foo.example1.com. Since there is
a principal for host/kdc.example1.com, host/kdc.example.com issues a
cross-realm service ticket for host/bar.example.com. The
host/bar.example.com then contacts host/foo.example1.com with a service
ticket presented from host/kdc.example.com and authenticates.
This is where I am a little confused on how exactly the trust
relationship plays out. To what degree do the two KDC's communicate this
trust relationship in this specific scenario. What is the order of
conversation? I am looking for some help with step 4 and if someone
could set me straight.
Thanks,
Darren
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos