question on keytabs - Kerberos

This is a discussion on question on keytabs - Kerberos ; Hi all, I am working to modify a SSO app called Cosign. I want it to try to authenticate to multiple realms. I actually have it doing that now. However, someone has brought up a good question. Right now, I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: question on keytabs

  1. question on keytabs

    Hi all,

    I am working to modify a SSO app called Cosign. I want it to try to authenticate to multiple realms. I actually have it doing that now. However, someone has brought up a good question. Right now, I only have an Active Directory realm and a Unix realm. However, if I want to add more Unix realms, how do I transfer the keytab.cosign to other KDC's. I am thinking that a kdb5_util load update would bring it into a different kdc. How can I dump the single principal from the original KDC? Or is my thinking all wrong here?

    Thanks much!

    jim




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: question on keytabs

    Goldrick, Jim wrote:

    > Hi all,
    >
    > I am working to modify a SSO app called Cosign. I want it to try to authenticate to multiple realms. I actually have it doing that now. However, someone has brought up a good question. Right now, I only have an Active Directory realm and a Unix realm. However, if I want to add more Unix realms, how do I transfer the keytab.cosign to other KDC's. I am thinking that a kdb5_util load update would bring it into a different kdc. How can I dump the single principal from the original KDC? Or is my thinking all wrong here?
    >
    > Thanks much!
    >
    > jim


    What you need to do is exchange cross-realm keys with the other realms
    whose principals you would like to be able to authenticate to your
    Cosign authenticated services.

    You do not want to provide the key entries associated with your cosign
    installation to anyone else. If you have done so, you should change the
    keys immediately. Anyone with access to the cosign keys can gain
    access to all of the Kerberos 5 TGTs for users that have logged into
    Cosign.

    Jeffrey Altman


    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

+ Reply to Thread