[6646] in Kerberos
Re: how to use kinit.c code w/o putting TGT in a file?
daemon@ATHENA.MIT.EDU (Scott Weitzenkamp)
Wed Feb 14 20:23:41 1996
To: kerberos@MIT.EDU
Date: Wed, 14 Feb 1996 22:28:44 GMT
From: scott@talarian.com (Scott Weitzenkamp)
In article <tsl20o3xiad.fsf@tertius.mit.edu>,
Sam Hartman <hartmans@MIT.EDU> wrote:
>>>>>> "Scott" == Scott Weitzenkamp <scott@talarian.com> writes:
>
> Scott> I have been using the GSS-API to write Kerberos
> Scott> applications, and now I have been given the job of allowing
> Scott> all our client and server processes to run and have them do
> Scott> the equivalent of a kinit from C code, plus to not create a
> Scott> credentials cache file (supposedly to increase security).
> Scott> Does anybody know:
>
>
> Scott> 1) How can I merge gss-client.c and kinit.c to create a
> Scott> program that does not use a credentials cache file?
>
> I'd have to look some at the code, but I suggest you read the
>Internet draft on the GSSAPI binding to Kerberos5 and consider calling
>acquire_credentials directly after calling krb5_get_in_tkt for your
>service ticket instead of a tgt.
>
> Scott> 2) Does this really increase security to store a password
> Scott> in a C program? Is there a better way?
>
>
> Any time you have to store a secret like a password in a
>client application, you are decreasing security significantly. I'm
>not sure I understand what you are trying to do, but I suspect
>strongly there is a better way. If you would give more details, I
>suspect I could help some.
I can give lots of details :-).
We have KDC and a Kerberized server program behind a firewall
providing lots of data access to a WWW server sitting outside the
firewall. The WWW security FAQ refers to this WWW server
configuration as the "sacrificial lamb". I'm pretty new to Kerberos
and WWW so I don't claim to understand all the subtle nuances of
running the WWW server inside vs outside the firewall. I'm just
providing the network programming services and making sure it is
secure with Kerberos.
My main question is how to configure a Kerberized client program
sitting outside the firewall on the WWW server machine. The client
program will be initiated by a user action from the WWW server (via a
cgi-bin script, I am told). Thus the client program has to be able to
run unattended.
Do I use a keytab file and have the client program read that? If so,
then if someone steals my keytab file they can impersonate the client.
Chances are if they steal the keytab file they can steal the client
program executable too (they will probably have the same stealibility)
That's why I thought it would be more secure to store a password in
the client program. If a bad guy steals the client program they can
run the program and cause trouble, but at least they don't have a
keytab file to cause further mischief with.
If there is a better way, I'm all ears. If there is a book or manual
somewhere that points out this better way, my wallet is open! :-) If
there was a good book on using the krb5_* and gss_* API functions, I
would buy it in a second!
--
Thanks in advance...
Scott Weitzenkamp, Talarian Corporation, Mountain View, CA
scott@talarian.com (415) 965-8050
"Welcome to the late show, starring NULL and void" -- Men At Work
