Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Inter-realm
Considering Trust Relationships
Chapter 8 245
Considering Trust Relationships
You may establish a multiple realm environment within your enterprise.
Regardless of the reason, if principals in one realm need access to
secured services supported in a different realm, you must establish a
trust relationship between the realms.
When two distinct realms share secret keys, the two realms are said to
trust one another. With that trust in place, principals can securely access
services in their native realm as well as those in the trusted foreign
realm.
Inter-realm authentication begins with relying on secure authentication
between users and the Security Server in a single realm. The shared
inter-realm key between trusted servers provides the extra link to create
a chain of trust that allows a principal in one realm to authenticate to a
service in a trusted foreign realm. To establish a trust relationship,
administrators for both realms must have a prior agreement.
You can configure your Kerberos Servers for inter-realm
authentication based on either:
• one-way trust
• two-way trust
• hierarchical trust
One-way Trust
In inter-realm authentication, one-way trust authenticates principals in
Realm Q to the services in Realm S, but prevents principals in Realm S
from accessing services in Realm Q.
In simple terms, if Harry trusts Sally with his secrets, but Sally does not
trust Harry with her secrets, Harry and Sally have a one-way trust
relationship between them.
Two-way Trust
In inter-realm authentication, two-way trust authenticates principals in
Realm Q to the services in Realm S, and principals in Realm S to the
accessing services in Realm Q.