How does keytab work exactly?
dorothy
i have some questions on using keytab for Authentication hope the kind people here can enlightend me
Say, i have userA who is going to use a service running at port 1010. First, userA will login to Active Directory to authenticate himself.
After login, userA will try to connect to the server to use its service 1010. In order for the server to verify that UserA is who he is, I need to use setspn to register SPN at the Active Directory. eg
setspn -s service1010/mydomain.com serviceaccount1
Then need to generate ktab file at Active directory, eg
ktab -a serviceprincal1010/[email protected] -k mykeytab.keytab
and then bring mykeytab.keytab to the server.
At the server, I would use JAAS with a login config to query the KDC eg
ServicePrincipalLoginContext
{
com.sun.security.auth.module.Krb5LoginModule required
principal=serviceprincal1010/[email protected]
doNotPrompt=true useKeyTab=true keyTab=mykeytab.keytab storeKey=true;
};
From this point on, I am confused. How does userA get verified (ie, userA is actually who he is? ).
Fred the Magic Wonder Dog
Your diagram is wrong. You have a basic misunderstanding about how kerberos works. ( It's fairly common by the way). A service that uses kerberos for authentication NEVER talks to the kdc. All it ever does is use it's secret key ( keytab ) to decrypt blobs that are presented by the user.
The only part of kerberos that ever talks to the KDC is the client or user side. When it attempts to access the service at port 1010, it first asks the KDC for a service ticket for that service. This is a blob encrypted with the service's secret key that has the user's identity inside it. ( plus a bunch of other protocol related stuff ).
If you have an GSS based api inside your service on port 1010, all you need to do is tell that API where the keytab is and then ask it what the userid is on the connection. You never need to make any other connections to external services. I am not familiar with the Java API's, but there should only be one or two calls required to verify the user credentials.
While this dialogue doesn't exactly match the version of Kerberos currently in use, it will help you understand the basic principals.
Collected from the Internet
Please contact [email protected] to delete if infringement.
edited at
- Prev: Different storage position of equal strings with special characters
- Next: Htaccess remove string from URL
Related
Related Related
- 1
How exactly does the callstack work?
- 2
How exactly does CMake work?
- 3
How does lock work exactly?
- 4
How exactly does linking work?
- 5
How exactly does the MenuInflater work?
- 6
How does the << Operator exactly work?
- 7
How does this for/in loop work exactly?
- 8
How exactly does a proxy work?
- 9
How exactly does linking work?
- 10
How exactly does DNS work?
- 11
How exactly does "/bin/[" work?
- 12
How does this for/in loop work exactly?
- 13
How does this function work exactly?
- 14
How does List Comprehension exactly work in Python?
- 15
numpy rollaxis - how exactly does it work?
- 16
How exactly does link rel="preload" work?
- 17
How exactly does the Hibernate @OneToMany annotation work?
- 18
How exactly does the Spring BeanPostProcessor work?
- 19
how does ifstream readsome exactly work
- 20
How exactly does Tomcat's Threadpool work
- 21
How does git commit --amend work, exactly?
- 22
How does "304 Not Modified" work exactly?
- 23
How exactly does the possessive quantifier work?
- 24
How exactly does the "let" keyword work in Swift?
- 25
How exactly does addStretch work in QBoxLayout?
- 26
How does a linker work exactly (microcontroller context)?
- 27
Exactly how does this class variable work?
- 28
How does the Erlang comparison operator work exactly?
- 29
Linkage between files - how exactly does it work?
Comments