[37583] in Kerberos
Re: Login usecase
daemon@ATHENA.MIT.EDU (Aneela Saleem)
Mon Jul 18 12:52:37 2016
MIME-Version: 1.0
In-Reply-To: <AC7C007B-19B6-4CC8-A296-8542E84BE46E@sinenomine.net>
From: Aneela Saleem <aneela@platalytics.com>
Date: Mon, 18 Jul 2016 21:52:20 +0500
Message-ID: <CAC1K3K9fkF=5OY0NdwakQgYNym_vGYbrk+aL2TdY8vtRd1EvGg@mail.gmail.com>
To: Brandon Allbery <ballbery@sinenomine.net>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Yep, that will be great.
On Mon, Jul 18, 2016 at 8:41 PM, Brandon Allbery <ballbery@sinenomine.net>
wrote:
> While I can’t give you details, it sounds like you want to change the web
> application to use SPNEGO to do Kerberos authentication with a user; this
> gives you a credential that you can then use to authenticate to Hadoop.
>
>
>
> *From: *Aneela Saleem <aneela@platalytics.com>
> *Date: *Monday, July 18, 2016 at 11:13
> *To: *Brandon Allbery <ballbery@sinenomine.net>
> *Cc: *"kerberos@mit.edu" <kerberos@mit.edu>
> *Subject: *Re: Login usecase
>
>
>
> Thanks Brandon for your response.
>
> Actually, My use-case is that I have a web application that authenticates
> a user. Then user calls my backend services written in java to interact
> with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to
> authenticate this user using my java code. I am able to login using keytab
> files, but i did not get someway to login using password. For logging in
> using keytab files, we need to place keytab files for all the system users
> on all the hosts from where we can access our hadoop cluster. So this is
> the main drawback. And as you say logging using keytab files is not
> appropriate then how can we achieve this objective?
>
> Thanks
>
>
>
> On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <ballbery@sinenomine.net>
> wrote:
>
> You are going to have to describe what you are trying to do in more
> detail. Keytabs are not normally used for this purpose, except in the case
> of automated procedures (e.g. cron) that need to log in to a service as if
> they are a user. Perhaps you have confused keytabs (“passwords” on disk)
> with ccaches (ephemeral service credentials, which may or may not be on
> disk and typically expire in a relatively short time)?
>
>
> On 7/17/16, 16:04, "kerberos-bounces@mit.edu on behalf of Aneela Saleem" <
> kerberos-bounces@mit.edu on behalf of aneela@platalytics.com> wrote:
>
> Hi all,
>
> If a user logs into any kerberized Application, using Krb5LoginModule,
> there is a function loginFromKeyTab. Client should have the key tab
> file to
> login to application. But I think this is very insecure way of login.
> Anyone who cloud access your key tab file then login to application. Is
> there any appropriate way to login to system. I don't understand How
> to do
> this. I'm stuck
>
> Thanks
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
