Difference between revisions of "Projects/IAKERB"
From K5Wiki
< Projects
(→Background) |
|||
| Line 5: | Line 5: | ||
==Background== |
==Background== |
||
| − | Implement [http://tools.ietf.org/html/draft-zhu-ws-kerb-03 IAKERB]. |
+ | Implement [http://tools.ietf.org/html/draft-zhu-ws-kerb-03 IAKERB]. IAKERB is a protocol for proxying KDC exchanges via GSS-API. |
| − | The implementation presently only supports AS-REQ IAKERB initiators, so an initiating client will need to be in the same realm as the service and will not get a TGT. (The code for acquiring a TGT is quite complicated.) Third-party IAKERB initiators can acquire TGTs, because the acceptor simply forwards the packets to the KDC. |
||
| + | Note: the implementation requires the KDC to support referrals to work in cross-realm environments. Making the non-referral cross-realm heuristics asynchronous will be a considerable amount of work. Most modern KDCs support referrals. |
||
==Architecture== |
==Architecture== |
||
Revision as of 12:51, 17 November 2009
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.
Background
Implement IAKERB. IAKERB is a protocol for proxying KDC exchanges via GSS-API.
Note: the implementation requires the KDC to support referrals to work in cross-realm environments. Making the non-referral cross-realm heuristics asynchronous will be a considerable amount of work. Most modern KDCs support referrals.
Architecture
Implementation
libkrb5
GSS
Open issues
Status
Code is in the users/lhoward/iakerb branch.
