Kerberos Ticket Authentication

Should you have problems with the MS logon plugin, here's the place to look for help or report issues.

Kerberos Ticket Authentication

Postby PenguinJeff » 2014-04-30 15:33

First a query if this is being worked on:
Is there a Kerberos Ticket Authentication module or method? I see that you can use a domain username password but would like to use Kerberos tickets for single sign on authentication.

If not:
A few questions/ideas about how to begin:
Should I use/modify a DSM Plugin?
Would I want to wrap/tunnel the connection and use a dummy(pre-configured normal password on client and server) password scheme
Having the tunneled connection use the kerberos ticket to authenticate.
I could possibly use PAM in linux to authenticate on the kerberos ticket.
PenguinJeff
 
Posts: 2
Joined: 2014-04-30 15:10

Re: Kerberos Ticket Authentication

Postby Rudi De Vos » 2014-04-30 19:30

being worked on: No

To test, a seperate tunnel with auth and encryption ( why not adding socket encryption and compression) is the easiest.

vncviewer connect to tunnel <-->tunnel connect to server.
Insite the tunnel normal vnc auth.

This way you don't have to change a vnc bit...updates wil still work and you can use any vnc flavor.
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5485
Joined: 2004-04-23 10:21

Re: Kerberos Ticket Authentication

Postby PenguinJeff » 2014-05-01 16:12

Rudi De Vos wrote:being worked on: No

To test, a seperate tunnel with auth and encryption ( why not adding socket encryption and compression) is the easiest.

vncviewer connect to tunnel <-->tunnel connect to server.
Inside the tunnel normal vnc auth.

This way you don't have to change a vnc bit...updates will still work and you can use any vnc flavor.

My thoughts where to grab the ssl tunnel plugin and add some code to it to use the kerberos ticket to authenticate.
I was thinking the normal vnc auth that is sort of what I meant by dummy password scheme. The whole idea is a single sign on.
So I could just turn off passwords on VNC and require the tunnel. If I set it up correctly I could set the allowed kerberos tickets by changing the access permissions on a directory tied to my code.

Client side would start an ssl tunnel use the kerberos ticket to try and read a directory on the server side. If accepted open the vnc session.

Current Ideas in my head are thinking maybe a hidden share called something like vncpass$ set permissions on the share to only allow groups/users you want and my plugin could just use that to tell the client how to login. Hmm I might not need to do much at all. Maybe just share the place where the password is stored(the ultravnc config file) already with the permissions I want. I could have it randomize the password daily and only allowed users could read the config file with the passwords.
PenguinJeff
 
Posts: 2
Joined: 2014-04-30 15:10


Return to MS logon plugin

Who is online

Users browsing this forum: No registered users and 3 guests