Hostbased service names (Re: domain-based service names redux)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hostbased service names (Re: domain-based service names redux)

On Tue, Jun 12, 2007 at 11:03:11PM +0200, Martin Rex wrote:
> The most sensible and infrastructure-independent approach (i.e. independent
> of how load-balancing is done within the backend and where within
> the backend the secure communication is terminated) for traditional
> Kerberos authentication would be to standardize the user2user
> authentication exchange and use that (no use of _hostbased_
> service names).

Well, no.  The ideal thing to do (as opposed to the *pragmatic* thing to
do) is to add a new krb5 mech or extension to the existing mech that
uses three tokens, with an option for user-to-user[*], so as to get rid
of the need for a replay cache.

That has nothing to do with also deprecating the user of hostbased
service names.  Apps will still need a way to name non-human entities
running on specific hosts.  And whether we drop the _service_ part of
hostbased service names is also an other story.

[*]  With RFC4120 as it is it is not quite possible to do a three-token
     user-2-user mechanism; four tokens are required.  That's because
     the initiator has to be the one sending the AP-REQ, but it can't
     make an AP-REQ until it has obtained the acceptor's Ticket (which
     has got to be sent no earlier than in the second token since in the
     GSS-API the initiator always sends the first token).

     A user-2-user three-token mechanism is possible however, but the
     spec for it would have to update RFC4120.


Nico
-- 


_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.