Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.15. I use software package Next Document: 1.17. Are there security risks involved in cross-realm authentication? See reader questions & answers on this topic! - Help others by sharing your knowledge Any Kerberos principal can authenticate to other principals within the same Kerberos realm. However, it is also possible to configure a Kerberos realm so principals in one realm can authenticate to principals in another realm. This is called cross-realm authentication. The way this is implemented is the KDCs in the two realms share a special cross-realm secret, and this secret is used to prove the identity of principals when crossing the boundary between realms. Kerberos 5 supports an additional variant of this called transitive cross-realm authentication. In traditional cross-realm authentication, each pair of realms that wish to authenticate need to share a cross-realm secret. This means in a group of N realms, 2 * ((N - 1) ** 2) secrets will need to be exchanged in order to cover all possible cross-realm authentication paths. In transitive cross-realm authentication you can define a path of realms connected via cross-realm secrets and use this path to "hop" between realms until you get credentials in the desired realm. Information on configuring cross-realm authentication can be found in the answer to Question 2.15 User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.15. I use software package Next Document: 1.17. Are there security risks involved in cross-realm authentication? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: