Re: kerberos and web-single signon, a good solution??

From: Thomas Vincent (thomasv_at_mac.com)
Date: 03/12/04


Date: 11 Mar 2004 20:14:10 -0800

bisibis@pt.lu (paul b) wrote in message news:<1f716d42.0403090731.4e183ec7@posting.google.com>...
> Hello,
> I am currently developping a "web single signon"-system and I am
> thinking about using Kerberos for this propose

This article at Oreilly's Onlamp.com might help:
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html

> The goal is that a user has to identify itself once, using a
> X.509-certificate and that he has then access to a set of web-sites.
> In addition, I have an LDAP tree that could be used for managing the
> user rights.

x.509 has nothing to do with Kerberos. x.509 relates to PKI.

> I am not at 100% familiar with Kerberos, so I dont know if my idea
> works:
> I wanted to authenticate the user on the first connection using their
> certificate. Based on the certificate, it should be possible to get
> the user's Kerberos(username, REALM and password) information from the
> LDAP-tree and pass this information to the Kerberos Authentication
> server in order to get a ticket.

Sorry, I don't think this would work. Kerberos doesn't use x.509
certs. You are better off using http://modauthkerb.sourceforge.net and
authenticating directly against the KDC. Otherwise just use a straight
PKI implimentation using x.509 certs.

> Is this scenario possible and if yes, will it be transparent to the
> user(the best would be to authenticate the user only with its
> certificate, but one password popup could be tolerable ;-)) and not to
> hard to implement.

This scenario is not possible.

> As I understood, users must login manually to the Kerberos-system
> using Linux commands like "kinit",... and there is a lot of other
> command that have to be typed by the user. Is that really necessary or
> is it possible to "automize" this functions so that they are
> transparent to the user?

Following the Oreilly article and reading the docs for
http://modauthkerb.sourceforge.net/ you should be able to make it
transparent from a web perspective.

> Does kerberizing a web-site introduce big changes to the site itself,
> can I interface Kerberos with the original login-functions or how does
> this work??

No, but keberizing the rest of the architecture does.

> Perhaps someone can tell me if Kerberos is really a good solution for
> web-single signon(and fully transparent to end-users) or if there are
> more simple possiblities like for example installing a "reverse
> proxy"?

Generally when people use Kerberos it is because they have a existing
Kerberos infrastructure they are trying to preserve. MIT, and CMU are
great examples of this.
If you don't, and you just want to have single-sign on for web use
x.509. If you want to include CLI tools and the such then use
Kerberos.

> Could I, in later stages, also interface Kerberos with an SAP-server,
> Citrix,...

SAP, and Citrix I am pretty sure use Active Directory which uses a
form of Kerberos and LDAP. Otherwise they have had to been written to
use Kerberos. You can't just slap it on.

I would suggest you pick up Oreilly's Kerberos book (
http://www.amazon.com/exec/obidos/tg/detail/-/0596004036/qid=1079064663/sr=8-1/ref=pd_ka_1/103-0303850-7070266?v=glance&s=books&n=507846
)

Second, I would consider subscribing to the Kerberos mailing lists if
you are interested in Kerberos. They can give you a much more detailed
answer.

Remember, PKI and Kerberos are not something you can just slap on.
Tools have to be written to support them in the first place.

Cheers,
Tom
MACSec InfoSec news
http://www.macsec.info



Relevant Pages