Pubcookie Home > Documentation 
Pubcookie Homepage Pubcookie 3.3
Kerberos Credential Passing
Component:  Pubcookie Login Server
Audience:  Kerberos sites
Modified:  March 2, 2006

Included on this page:


Using the "getcred" login flavor, trusted application servers can request Kerberos credentials for 3-tier authentication scenarios. This feature works along side of the "basic" login flavor and is only meaningful for sites with Kerberos 5 underpinings.

Build GetCred Flavor

Support for the "getcred" login flavor comes for free; you don't actually have to do anything to build it in. But it won't do anything without the Kerberos 5 verifier, so be sure to build it in using the --enable-krb5 configure option.


To enable Kerberos credential passing in the login cgi, add the save_credentials variable to your config file and adjust the default_realm and append_realm variables as needed. For example:

# kerberos verifier config
basic_verifier: kerberos_v5
kerberos5_service_name: pubcookie
kerberos5_keytab: /usr/local/pubcookie/keys/pubcookie.keytab
save_credentials: t
getcred_authz_file: /usr/local/pubcookie/getcred_authz
default_realm: MYREALM.EXAMPLE.EDU
append_realm: true

The getcred_authz text file defines which application servers are allowed to request credentials from the "getcred" flavor.

Lines in this file have the following form: SERVICE/ OK

But you can use wildcards. For example: imap/* OK imap/* OK
portal-dev? imap/* OK adm/* OK */* OK

This would allow a webmail server and a portal server to request IMAP service tickets; possibly more than one portal development servers (e.g., portal-dev1 and portal-dev2) to request IMAP service tickets; a dedicated CGI server to get ADM tickets (used for self-service quota setting); and your site administrator's personal test server to get any service ticket.

Requesting Kerberos Credentials

Sites with a login server that support the "getcred" login flavor can configure the module to request additional Kerberos credentials for 3-tier authentication scenarios.

To configure the module to request that it be sent Kerberos credentials, configure the AuthType to specify your "getcred" login flavor and use the directive to specify the service ticket you want. For example:

<Location "/test">
AuthType getcred
require valid-user
PubcookieAddlRequest cred_target=adm/

When someone navigates to the test directory, they will be sent off to the login server to get a Kerberos 5 service ticket for adm/

You can request multiple tickets with the following syntax:

<Location "/webmail">
AuthType getcred
Require valid-user
PubCookieAddlRequest cred_target=imap/;smtp/

Here whenever one navigates to the webmail directory, they'll be sent to the login server and to get both IMAP and SMTP tickets, presumably so they can read and send mail authenticated thru the webmail application.

Kebereros tickets passed via the "getcred" flavor are stored in a separate Pubcookie session cookie on the application server. They are exposed to an application by means of a temporary file whose location is defined by the KRB5CCNAME environment variable (usually /tmp/k5cc_(pid)_(userid)). An application can retrieve the service ticket from this file and pass it as a credential to authenticate to appropriate services. Once the request has been handled the temporarily cached credentials are removed by the module.

[Pubcookie Home Page]
Copyright © 2002-2008 University of Washington
UW Technology Services
Pubcookie Contact Info
Modified: March 2, 2006