I wonder if this should just be done through PAM?
Kevin
Mike Spreitzer wrote:
>
> It seems to me that it would be good to have an open standard for how to do
> Kerberos authentication and authorization for the web, and that you guys
> would support this and implement it; does this sound right to you?
>
> The authorization part I'm referring to is the ability to forward proxy
> tickets, including ticket-granting tickets, from client to server.
>
> Kerberos is already established in the UNIX community, and is about have a
> significant presence in the Windows community (due to it being the basis
> for Windows 2000 security). This presents us with the happy prospect of
> something those two communities can agree on!
>
> We already have RFC 2712, which tells how to use Kerberos for
> authentication, integrity, and confidentiality in TLS (and specifies that
> no X.509 certificates are exchanged). However, TLS has not traditionally
> taken any farther than this, so using it to forward tickets seems a bit
> odd. But not unthinkable; RFC 1964 standardizes a way to put tickets in
> the checksum field of the Kerberos "Authenticator" (and the Authenticator
> *is* used in RFC 2712). This might be a possible way to go. Another
> possibility is whatever Microsoft has already implemented for IE&IIS in
> Win2K.
>
> What do you think?
>
> Thanks,
> Mike
--
Kevin A Burton
http://relativity.yi.org
Mobile: 408-910-6145
"...there is something outside yourself that has to be served, when that
need is
gone, when belief has died... what are you? A man without a Master."
|