Re: GSS-API routine for renewing credentials


----- Original Message -----
From: "Nicolas Williams" <Nicolas.Williams@xxxxxxx>
To: "Robert" <rob_krb@xxxxxxxxx>
Cc: <kerberos@xxxxxxx>
Sent: Thursday, April 19, 2007 0:01
Subject: Re: GSS-API routine for renewing credentials


On Wed, Apr 18, 2007 at 11:41:03PM +0200, Robert wrote:
On Wed, Apr 18, 2007 at 08:25:39PM +0200, Robert wrote:
Does anyone know whether there is a routine in GSS-API to renew
(forwarded)
client credentials? I'm unable to locate such a routine in GSS-API, but
maybe
I'm overlooking it.

There's no such thing.

In SSHv2 we deal with this by re-keying the SSHv2 session and, in the
process, establishing a new GSS-API security context, which is an
opportunity to delegate a new credential.

I.e., you have to establish a new security context.

Thanks Nico.

I'm just thinking how that would work (if that would work for my
situation).
I looking at this from a client -> gateway -> backend server
perspective.
The client should actually not be bothered by the need to initiate a new
security context with the gateway. That's what you indicate, right?
(The gateway may need the delegated credentials to initiate a new
security
context to a second backend server (silentl failover)).

Do you have control over the protocol that your application is using, or
is it a standard protocol (or de facto standard from you point of view)?

If the former, then just add an option to re-authenticate (establish a
new security context).

If the latter and the protocol is SSHv2, just do what I described
earlier.

If the latter and the protocol is something like IKE/KINK, then just
establish a new SA or equivalent.

If the latter and the protocol is something like ONC RPC w/ RPCSEC_GSS
then just establish a new context (but you need to make sure that you
map the new context to the correct "session" at the application
protocol, if there is such a concept).

If the latter and the protocol is something like FTP, or if it uses
SASL (like IMAP), then you lose: you have to tear down the connection
and start over if you really want to delegate a new credential.

Nico
--

I do have control over the protocol (That is, in one instance. Another
instance will
probably make use of SASL). Thanks for your elaborate answer. It's much
appreciated.
I 'll go and play around with it a bit.

Thanks,
Robert

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

Relevant Pages

  • Re: HyperText Transfer Protocol with Privacy
    ... The protocol has nothing to do with it. ... Even after you enable the context ... and that I may be in violation if I told you how to extract your pictures ... containing online photos of my kids. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Using GSSAPI to Authenticate to AD
    ... As mentioned in the thread above, it is possible to switch to ... different user security context using gss_krb5_ccache_name. ... obtained for an arbitrary account using the gss_acquire_cred function ... point to a ccache file with credentials for the desired account. ...
    (comp.protocols.kerberos)
  • Re: Web App Impersonation
    ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I have a web app where the user context is, by default, determined by ... This method will change the context of the .NET process running on the ... determine if the credentials are correct, but I need the web context to ...
    (microsoft.public.dotnet.security)
  • RE: Security Question: External POP3 Clients Using Outlook Express
    ... Let's start off by saying that POP3 is fundamentally an unsecure protocol. ... You're passing credentials in clear text and in the case of Exchange accounts ... > including Anonymous access in the POP3 Virtual Server settings. ...
    (microsoft.public.windows.server.sbs)
  • RE: Winnt/Win2k Vuln ?
    ... > then context needs to be taken into account. ... > ambiguity that the expected protocol is http, just as we do not naturally ... > expect file system requests to be carried over the web. ... IE and Netscape arguing that, for example, 'ftp.microsoft.com' should be ...
    (Vuln-Dev)