[squid-users] Kerberos authentication with multiple squids
Grant Taylor
gtaylor at tnetconsulting.net
Mon Oct 18 05:06:55 UTC 2021
On 10/17/21 10:57 AM, Grant Taylor wrote:
> My understanding is that you can use Kerberos from clinet0 to proxy1 and
> that proxy1 can use the same mechanism to get a special ticket to
> communicate from proxy1 to proxy2 as the original user.
I looked at my copy of Kerberos - The Definitive Guide by Jason Garman
from O'Reilly and found the following terms that seem to be in play here.
The concept that I'm alluding to seems to be broadly known as
"credential forwarding". More specifically there are a couple of
options / constraints that can be added to a TGT that seem to come into
play here; forwardable tickets and proxiable tickets. The latter seems
to be a subset of the former.
The following quote comes form the Ticket Options section of chapter 3 -
Protocols. (Sorry, I don't have a page number when looking at
O'Reilly's learning portal.)
--8<--
Proxiable tickets -- You can also set the proxiable flag on a ticket.
Proxiable tickets are similar to forwardable tickets in that they can be
transferred to another host. However, a proxiable TGT can only be used
to acquire further service tickets; it cannot be used to acquire a new
TGT on the target host.
-->8--
This sounds to me like clinet0 could use a forwardable or proxiable
ticket when talking to squid1 and squid running on squid1 can get and
use a service ticket for the user on squid2.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20211017/b82735f2/attachment.bin>
More information about the squid-users
mailing list