Re: KDC failover

2005-08-30 Thread Jeffrey Hutzelman 



On Tuesday, August 30, 2005 23:59:16 -0400 Jeff Aitken [EMAIL PROTECTED] 
wrote:



Assuming I've got that part right, here's the part that's got me
confused.  In step #2, the AS generates a session key that will be
used by the client during all future communication with the TGS;
i.e., this is the key with which the client will encrypt future
service ticket requests.  However, if the KDC that granted the TGT
to the client fails, and the client sends a service ticket request
to a different KDC, how does that second KDC validate the client?
Unless I'm missing something, the second KDC doesn't have a copy of
the session key that the client uses to encrypt the request, so he
shouldn't be able to decrypt it successfully.


The TGT is just like any other ticket; it contains information encrypted in 
the service's secret key, including a session key.  The TGS, then, is a 
single service potentially distributed over multiple machines (KDC's). 
Each machine providing that service has a copy of the service key, and thus 
can decrypt the ticket, which is provided by the client with every request.


Except for a short-lived replay cache, the KDC itself is essentially 
stateless.  It doesn't remember anything about tickets it has issued.


-- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED]
  Sr. Research Systems Programmer
  School of Computer Science - Research Computing Facility
  Carnegie Mellon University - Pittsburgh, PA


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KDC Failover

2005-04-06 Thread Russ Allbery 
Nick Bernstein [EMAIL PROTECTED] writes:

 I've been reading through the kerberos o'reilly book, and it seems like
 the only way to do kdc failover is to run a high availablity kdc --
 i.e. make it look like the kdc never fails, even if it does; either by
 having the kdc that the clients are talking to be a virtual ip which is
 taken over by a second if either of the kerberos ports goes down, or
 similarly, if the kdc fails, then there is a dns change, or something
 like that, but it seems hard to imagine that I can't just specify a
 second kdc to failover to... is there a way to specify this in the
 krb5.conf or another file?

Er, yeah, just add a second KDC to fail over to.

 The man page for the krb5.conf doesn't seem to show any examples of how
 to add a secondary kdc or kadmin server for failover.

You don't want to list more than one kadmin server, as MIT Kerberos (at
least) doesn't support multi-master.  However, you can list lots of KDCs
just by, well, listing lots of KDCs:

[realms]
stanford.edu = {
kdc= kerberos1.stanford.edu:88
kdc= kerberos2.stanford.edu:88
kdc= kerberos3.stanford.edu:88
admin_server   = krb5-admin.stanford.edu
}

for instance.

-- 
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos