Re: [Ganymede Dev] Re: many G... questions

[Luke Howard <lukeh@PADL.COM>]

>So, what form does the ticket take?  As I understand it, the ticket is
>meant to be passed to a service requesting authentication through a
>public key managed transfer, yes?  Or could the client simply send a
>fixed binary ticket to the server over an RMI/SSL transfer, and then
>have the server check the ticket out against the ticket issuing
>agency?

The ticket is obtained by the client from the ticket issuing agency (KDC),
but is encrypted with the service's secret key. Thus the service can
validate that the KDC issued it. The authentication exchange is defined
for many protocols (ONC RPC, LDAP, etc) in terms of GSS-API, possibly
encapsulated by SASL. I'm not sure what RMI defines here but of course
there's nothing to stop you implementing this above the actual RPC
transport.

See http://www.isi.edu/gost/publications/kerberos-neuman-tso.html.

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

----------------------------------------------------------------------------
To make changes to your subscription to the Ganymede Dev mailing list, send
mail to majordomo@arlut.utexas.edu.

To unsubcribe, include the line

unsubscribe ganymede-dev

in the body of your mail message

Visit the Ganymede web page at http://www.arlut.utexas.edu/gash2

----------------------------------------------------------------------------