[squid-users] Kerberos authentication with multiple squids

[Grant Taylor]

On 10/17/21 10:57 AM, Grant Taylor wrote:
> My understanding is that you can use Kerberos from clinet0 to proxy1 and 
> that proxy1 can use the same mechanism to get a special ticket to 
> communicate from proxy1 to proxy2 as the original user.

I looked at my copy of Kerberos - The Definitive Guide by Jason Garman 
from O'Reilly and found the following terms that seem to be in play here.

The concept that I'm alluding to seems to be broadly known as 
"credential forwarding".  More specifically there are a couple of 
options / constraints that can be added to a TGT that seem to come into 
play here; forwardable tickets and proxiable tickets.  The latter seems 
to be a subset of the former.

The following quote comes form the Ticket Options section of chapter 3 - 
Protocols.  (Sorry, I don't have a page number when looking at 
O'Reilly's learning portal.)

--8<--
Proxiable tickets -- You can also set the proxiable flag on a ticket. 
Proxiable tickets are similar to forwardable tickets in that they can be 
transferred to another host.  However, a proxiable TGT can only be used 
to acquire further service tickets; it cannot be used to acquire a new 
TGT on the target host.
-->8--

This sounds to me like clinet0 could use a forwardable or proxiable 
ticket when talking to squid1 and squid running on squid1 can get and 
use a service ticket for the user on squid2.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20211017/b82735f2/attachment.bin>