On 10/17/21 10:57 AM, Grant Taylor wrote:
My understanding is that you can use Kerberos from clinet0 to proxy1 and that proxy1 can use the same mechanism to get a special ticket to communicate from proxy1 to proxy2 as the original user.
I looked at my copy of Kerberos - The Definitive Guide by Jason Garman from O'Reilly and found the following terms that seem to be in play here.
The concept that I'm alluding to seems to be broadly known as "credential forwarding". More specifically there are a couple of options / constraints that can be added to a TGT that seem to come into play here; forwardable tickets and proxiable tickets. The latter seems to be a subset of the former.
The following quote comes form the Ticket Options section of chapter 3 - Protocols. (Sorry, I don't have a page number when looking at O'Reilly's learning portal.)
--8<--Proxiable tickets -- You can also set the proxiable flag on a ticket. Proxiable tickets are similar to forwardable tickets in that they can be transferred to another host. However, a proxiable TGT can only be used to acquire further service tickets; it cannot be used to acquire a new TGT on the target host.
-->8--This sounds to me like clinet0 could use a forwardable or proxiable ticket when talking to squid1 and squid running on squid1 can get and use a service ticket for the user on squid2.
-- Grant. . . . unix || die
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
