shibboleth-dev - Re: Shibboleth and Kerberos Tickets

Subject: Shibboleth Developers

List archive

Re: Shibboleth and Kerberos Tickets

From: Shilen Patel <>
To:
Subject: Re: Shibboleth and Kerberos Tickets
Date: Mon, 16 Jul 2007 11:05:11 -0400

Scott Cantor wrote:

The applications that receive the proxy token treat the proxy token just
like a password. The applications just pass it to the backend servers,
which have a PAM module to support it. Does that answer your question?

If it's treated like a password, then what's the significance of Kerberos to
this use case? Couldn't any attribute be used like this already?

It seems odd to overcomplicate the code with Kerberos if you're bypassing
the cryptographic parts. Or maybe I'm still not getting it.

-- Scott

The proxy token is treated like a password by the applications, but the PAM module verifies the ticket data and checks the lifetime. If we used just any static attribute, that would not be secure.

-- Shilen

RE: Source attributes from LDAP, (continued)
- Re: Shibboleth and Kerberos Tickets, Shilen Patel, 07/13/2007
  - Re: Shibboleth and Kerberos Tickets, Chad La Joie, 07/13/2007
  - RE: Shibboleth and Kerberos Tickets, Scott Cantor, 07/13/2007
    - Re: Shibboleth and Kerberos Tickets, Shilen Patel, 07/13/2007
      - RE: Shibboleth and Kerberos Tickets, Scott Cantor, 07/13/2007
        
        Re: Shibboleth and Kerberos Tickets, Shilen Patel, 07/16/2007
        
        RE: Shibboleth and Kerberos Tickets, Scott Cantor, 07/16/2007
        
        Re: Shibboleth and Kerberos Tickets, Shilen Patel, 07/16/2007
  - Re: Shibboleth and Kerberos Tickets, RL 'Bob' Morgan, 07/19/2007
- RE: Shibboleth and Kerberos Tickets, Josh Howlett, 07/17/2007

List archive

Re: Shibboleth and Kerberos Tickets