If I understand GSS proxy right, I provide a keytab with my password in it so
that it can get a TGT as me whenever it wants. The keytab may not be human readable, but it is directly usable by kinit. This seems too much like typing my passwd into a plain text file.
You do not give it "your" keytab. It has its own.
Ah. I had to give k5start a keytab with my encrypted password in it. It doesn't have its own Kerberos identity. How does gss-proxy authenticate as me, then?
I also don't understand how s4u2proxy can be considered "constrained"
delegation, or even really delegation: "The client has no control over whether a service can delegate on behalf of the user. The client does not request delegation nor does it pass a forwardable TGT to the service. The client cannot detect that delegation will be, or has been, performed. If local policy allows the service to perform S4U2proxy delegation, this delegation is performed solely at the discretion of the service." It sounds more like identity appropriation to me. Like "su - <username>" by root.
No. This is not how it works. S4U2proxy running on service A takes your ticket that you sent to service A and asks KDC can I get a ticket to service B for this user on user behalf. It is constrained in the terms of KDC having all the policies to define the rules which services set A can impersonate which users talking to services B. It is constrained by these relationships. It is not wild west.
Wouldn't my service ticket expire at the same time my TGT does? How does this help me make sure my ticket stays valid for the life of my long lived process?
The part in quotes was from the Microsoft website explaining how s4u2proxy works. Bullet #1 (not quoted), seems to say the opposite of the above. The verbatim quote is from the fourth bullet point, here:
http://msdn.microsoft.com/en-us/library/cc246079.aspx
I would be very happy to learn that this is a mistake, but their page is clear to the point of being emphatic.
The certificate or keytab are not different from each other so I really do not see a point here. Everything that you describe can be done just using a keytab.
Ah, so we're back to "what's in the keytab?" If it's gss-proxy's keytab, what does it have to do with me? How does my identity get delegated?
In any case, keytabs are long term secrets (for users or services), and proxy certificates are not. If I'm going to give something access to my identity, I don't want to be giving it my long term secret (password), but I do want to give it _something_! It's also my understanding that DogTag is set up to securely store certificates, controlling their release to authorized parties. I am not aware of a similar service for keytabs.
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.