Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Webauth and SPNEGO with credential delegation

Russ Allbery eagle at windlord.stanford.edu
Sun Jun 17 02:51:30 PDT 2007


Joachim Keltsch <joachim at keltsch.net> writes:

> in login.fcgi sub add_remuser_token builds this token and appends it to
> the list of tokens already available:

>     # Create a proxy token.
>     my $token = new WebKDC::WebKDCProxyToken;
>     $token->creation_time (time);
>     $token->expiration_time (time + $WebKDC::Config::REMUSER_EXPIRES);
>     $token->proxy_data ($user);
>     $token->proxy_subject ('WEBKDC:remuser');
>     $token->proxy_type ('remuser');
>     $token->subject ($user);

>     # Add the token to the WebKDC request.
>     my $token_string = base64_encode ($token->to_token ($keyring));
>     $req->proxy_cookie ('remuser', $token_string);

> Is it enough to put the TGT there instead of the remuser token?
> Is there a function within the webkdc library to read ticket cache files?

The first pass I'd take at implementing this would probably be to use the
proxyToken API with the WebKDC to obtain a real proxy token rather than a
faked one.

    http://webauth.stanford.edu/protocol.html#xmlwebkdcproxytoken

I'm not sure how much support is already there in the Perl layer for this.

The better approach would be to enhance the requestToken API (and probably
specifically the login token) to take a TGT instead of a password, which
would be a cleaner and more maintainable approach in the long run.  But it
would be a bit more work and would mean protocol enhancements.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Unix Systems and Applications, Stanford University



More information about the webauth-info mailing list