[Freeipa-devel] Kerberos implementation issues

Pete Zaitcev zaitcev at redhat.com
Tue Jun 21 22:48:08 UTC 2011 

On Tue, 21 Jun 2011 18:28:36 -0400
Dmitri Pal <dpal at redhat.com> wrote:

Dear Dmitri, thanks for the reply. I am reading curl source code
now and I notice the distinction between "Negotiate" that comes
from SPNEGO, and "GSS-Negotiate". I'm looking for the definition
of the latter.

> > I am working on adding authentication/authorization
> > to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented
> > with GNU Microhttpd. [...]

> > So far, I gather that so-called "SPNEGO" protocol is what everyone
> > uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121).
> > There's also a "Kerberos on Widows" thing (4559), which actually
> > defines the key pieces such as "WWW-Authenticate: Negotiate".

> What web server you are using? It is mostly something that is used
> outside the application by the web server itself.

As I mentioned, iwhd relies on GNU Microhttpd library to implement
a webserver.

> Like with Apache you can use/configure mod_auth_kerb and if the client
> is configured to negotiate kerberos and the apache server has a keytab
> and an service principal (name) in KDC (freeIPA) you are all set.
> This is how the Katello prototype has been set up.

I see, the vital part here is the need to register the service principal
with the KDC. I was wondering about that too.

> The transactions would require a state. You can try to do something that
> we are planning to do in IPA to reduce the cost of the re-negotiation on
> every request. We plan to use a cookie. But it all depends what are your
> transactions are for. Do they define the "commit" boundaries or they are
> just to reduce renegotiation?

I am somewhat disaffected with cookies, as they have a lot of
weaknesses (usually).. Certainly, turning around the 401 replies costs
a lot, but until I know for myself that it cannot be avoided (by posting
Authenticate header preventively), I am going to examine the facts
a little more. However, if FreeIPA team comes up with "standard"
way to keep tickets in cookies, I would like to hear the details.

Thanks again,
-- Pete

More information about the Freeipa-devel mailing list