> If I understand GSS proxy right, I provide a keytab with my
password in it so
that it can get a TGT as me whenever it wants. The keytab may not be human
readable, but it is directly usable by kinit. This seems too much like typing my
passwd into a plain text file.
You do not give it "your" keytab. It has its own.
Ah. I had to give k5start a keytab with my encrypted password in it. It doesn't have
its own Kerberos identity. How does gss-proxy authenticate as me, then?
> I also don't understand how s4u2proxy can be considered
"constrained"
delegation, or even really delegation: "The client has no control over
whether a service can delegate on behalf of the user. The client does not
request delegation nor does it pass a forwardable TGT to the service. The
client cannot detect that delegation will be, or has been, performed. If local
policy allows the service to perform S4U2proxy delegation, this delegation is
performed solely at the discretion of the service." It sounds more like
identity appropriation to me. Like "su - <username>" by root.
No. This is not how it works. S4U2proxy running on service A takes your ticket
that you sent to service A and asks KDC can I get a ticket to service B for this
user on user behalf. It is constrained in the terms of KDC having all the
policies to define the rules which services set A can impersonate which users
talking to services B. It is constrained by these relationships. It is not wild
west.
Wouldn't my service ticket expire at the same time my TGT does? How does this help me
make sure my ticket stays valid for the life of my long lived process?
The part in quotes was from the Microsoft website explaining how s4u2proxy works. Bullet
#1 (not quoted), seems to say the opposite of the above. The verbatim quote is from the
fourth bullet point, here:
http://msdn.microsoft.com/en-us/library/cc246079.aspx
I would be very happy to learn that this is a mistake, but their page is clear to the
point of being emphatic.
The certificate or keytab are not different from each other so I
really
do not see a point here. Everything that you describe can be done just
using a keytab.
Ah, so we're back to "what's in the keytab?" If it's gss-proxy's
keytab, what does it have to do with me? How does my identity get delegated?
In any case, keytabs are long term secrets (for users or services), and proxy certificates
are not. If I'm going to give something access to my identity, I don't want to be
giving it my long term secret (password), but I do want to give it _something_! It's
also my understanding that DogTag is set up to securely store certificates, controlling
their release to authorized parties. I am not aware of a similar service for keytabs.
This electronic message contains information generated by the USDA solely for the intended
recipients. Any unauthorized interception of this message or the use or disclosure of the
information it contains may violate the law and subject the violator to civil or criminal
penalties. If you believe you have received this message in error, please notify the
sender and delete the email immediately.