User delegation in Kerberos V5

From: fantoosh@xxxxxxxxxxx
Date: 16 Dec 2005 21:09:36 -0800

Hi,

I am wondering if I can do the following in Kerberos (any flavours).

I am a user of some realm. I have a friend Alice who is not a user of
my realm nor is a user of any other Kerberos realm.

How can I give access to Alice to some of the files stored on a
Kerberized file server?

In otherwords can I somehow delegate my permissions (token) to Alice so
that she can use that token to authenticate with the server. I don't
want to do proxy delegation since I don't want Alice to act on my
behalf.

I was thinking that it might be possible in Public key based Kerberos
PKDA or PKINIT.

I browsed for a while but could not find any document that said that in
Kerberos a user can delegate his/her token to another user. Any
pointers?

PS: Is public key based Kerberos used in practice?

Thanks.

.

Follow-Ups:
- Re: User delegation in Kerberos V5
  - From: Jeffrey Altman

Prev by Date: Re: kinit locking up
Next by Date: Re: kfw-3.0 can't obtain tickets from heimdal kdc 0.7.1(Bad address
Previous by thread: kinit:Password incorrect
Next by thread: Re: User delegation in Kerberos V5
Index(es):
- Date
- Thread

Relevant Pages

Re: AW: AW: Using a Kerberized application outside the Kerberos Realm
... Alice is not part of a Windows domain, thus not part of an AD and also is not ... But the Alice service could be part of the Kerberos realm supported by ... then let Alice check incoming service ticket for authenticity by decrypting them ...
(comp.protocols.kerberos)
AW: AW: Using a Kerberized application outside the Kerberos Realm
... Alice is not part of a Windows domain, thus not part of an AD and also is not ... part of a Kerberos Realm. ... I would have to know if it is possible to create a Kerberos ... then let Alice check incoming service ticket for authenticity by decrypting them ...
(comp.protocols.kerberos)
Re: Authenticating to LDAP using a HTTP ticket
... 0x02 TcpSupported Indicates that this realm supports TCP. ... 0x04 Delegate Everyone in this realm is trusted for delegation ... Microsoft checks the OK-AS-DELEGATE Kerberos ticket flag, ... will set for trusted servers. ...
(comp.protocols.kerberos)
Re: AW: Using a Kerberized application outside the Kerberos Realm
... If Alice can share a key with the KDC then Alice can be issued a service ... Betreff: Re: Using a Kerberized application outside the Kerberos Realm ... Is it possible to create a kerberized service that is not part of the Kerberos realm? ... establishing trust between Alice and Bob. ...
(comp.protocols.kerberos)
Re: AW: Using a Kerberized application outside the Kerberos Realm
... Alice isn't running in a domain at all. ... Kerberos deals with realms. ... A service is in a realm if there exists a principal for the service ... By convention the service ticket has the FQDN of the host, ...
(comp.protocols.kerberos)