Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 17784 invoked by uid 6000); 6 Nov 1999 09:09:18 -0000 Received: (qmail 17778 invoked from network); 6 Nov 1999 09:09:17 -0000 Received: from alpha.xerox.com (firewall-user@13.1.64.93) by taz.hyperreal.org with SMTP; 6 Nov 1999 09:09:17 -0000 Received: from deimos ([13.0.209.39]) by alpha.xerox.com with SMTP id <56718(5)>; Sat, 6 Nov 1999 01:09:13 PST From: "Mike Spreitzer" To: Subject: RE: Kerberos authentication and authentication (proxy ticket forwarding) Date: Sat, 6 Nov 1999 01:09:13 PST Message-ID: <000d01bf2836$97def6a0$27d1000d@deimos.parc.xerox.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3155.0 In-Reply-to: <3823DF4F.9EC1E088@relativity.yi.org> Importance: Normal Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org > I wonder if this should just be done through PAM? PAM doesn't solve the problem I'm addressing. The problem I'm addressing is the need for some form of delegation. That is, given that the user has already "logged in" in one way or another (this is what PAM is for, right?) to "his" machine, and wants to invoke an operation on a remote web server, and that remote operation in turn needs to invoke another even more remote operation *as the original user*, what enables the first web server to act on the user's behalf? The standard answer in the Kerberos setting is that the client forwards proxy tickets (either specific service tickets or ticket granting tickets) to the first server.