Search Mailing List Archives
Webauth and SPNEGO with credential delegation
eagle at windlord.stanford.edu
Sun Jun 17 02:51:30 PDT 2007
Joachim Keltsch <joachim at keltsch.net> writes:
> in login.fcgi sub add_remuser_token builds this token and appends it to
> the list of tokens already available:
> # Create a proxy token.
> my $token = new WebKDC::WebKDCProxyToken;
> $token->creation_time (time);
> $token->expiration_time (time + $WebKDC::Config::REMUSER_EXPIRES);
> $token->proxy_data ($user);
> $token->proxy_subject ('WEBKDC:remuser');
> $token->proxy_type ('remuser');
> $token->subject ($user);
> # Add the token to the WebKDC request.
> my $token_string = base64_encode ($token->to_token ($keyring));
> $req->proxy_cookie ('remuser', $token_string);
> Is it enough to put the TGT there instead of the remuser token?
> Is there a function within the webkdc library to read ticket cache files?
The first pass I'd take at implementing this would probably be to use the
proxyToken API with the WebKDC to obtain a real proxy token rather than a
I'm not sure how much support is already there in the Perl layer for this.
The better approach would be to enhance the requestToken API (and probably
specifically the login token) to take a TGT instead of a password, which
would be a cleaner and more maintainable approach in the long run. But it
would be a bit more work and would mean protocol enhancements.
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Unix Systems and Applications, Stanford University
More information about the webauth-info