Using GPG Keys for the Kerberos Users Identification
Simon Josefsson
jas at extundo.com
Fri Sep 3 22:46:49 CEST 2004
Kate Aniket Pundlik <aniketpkate at cse.iitb.ac.in> writes:
> Hello,
> I am a Computer Science graduate student at IIT Bombay, India.
> Due to our interest in Kerberos and PGP, my team is thinking of doing
> the project "Using GPG Keys for the Kerberos Users Identification". But
> we have lots of doubts about these like
> Which API or library of GnuPG to be used or can be more
> suitable ?
> How to make use this for pratical purpose ?
I'm not sure it is what you are looking for, but Shishi will be able
to do initial user authentication to Kerberos using OpenPGP keys,
instead of using normal Kerberos passwords.
The idea is to negotiate TLS to the Kerberos server, then use OpenPGP
authentication in TLS, and then have the Kerberos server give out a
Kerberos TGT for the user based on the TLS authentication. The TGT
can be used to authenticate to Kerberos services as any other TGT.
The last public Shishi release support X.509 authentication on the
client side. Adding the OpenPGP part is pending, but should be simple
given the good support for OpenPGP in GnuTLS. A practical remaining
problem is that, if I understand correctly, GnuTLS do not support the
same OpenPGP key rings that GnuPG uses.
Since GnuPG isn't involved, this might be off topic here, but I'd be
happy to discuss this with anyone interested.
The protocol to negotiate TLS against the Kerberos is specific for
Shishi, I have described it in the Shishi manual:
http://www.gnu.org/software/shishi/manual/html_node/STARTTLS-protected-KDC-exchanges.html
Thanks,
Simon
More information about the Gnupg-devel
mailing list