hi, i'm wondering whether it would be possible to implement ACLs for service ticket requests?
eg, something like a way to specify on the KDC which principals are allowed to request service tickets for whatever service principals. perhaps something as simple as: host/* * allow foo/* host/host.foo.org allow foo/* * deny */fileserver host/fileserver.foo.org allow */fileserver * deny */* * allow * * allow basically, the reason i ask is because i would like some way to restrict certain principals to only getting tickets for certain services at the KDC. the primary reason i want to do this is for the case where a principals key has to be stored in a keytab, because it is for a script that must run automatically. i know which service it should access, and for security it'd be good if 'script principals' could be restricted in this way. the idea being, that if joe evil gets his mits on the keytab containing the key for [EMAIL PROTECTED], he can only use it to access the host/host.foo.org service. at the moment, the only way to implement such ACLs is to set appropriate access controls in the configuration of every service on every machine. this is cumbersome, not least because most services do not have any way to configure such ACLs. But also, because if someone creates a [EMAIL PROTECTED] principal for a script and saves the key to a file, then someone has to go round to every service on every machine and configure them not to accept 'blah/fuddle'. (and if you miss a service..) As all ticket requests go via the KDC AS anyway, it would be most useful to be able to set ticket request policy globally here. With a scheme like the above you could allow users via kadmin ACLs to create a user/fileserver principal and extract the key to a keytab for use with automated scripts. Then with a service ticket request ACL mechanism like the above, if a users keytab was compromised, you could be certain that only access to the host/fileserver.foo.org was compromised. so would it be possible? is there any way to do something like that already (i dont see how)? basically, my biggest problem with using kerberos is the insecurities introduced by keytabs which if compromised allow parties to obtain tickets for any kerberos service they wish - even if there was never a need for that principal to ever have access to more than one kerberos service. thanks in advance, Paul Jakma Unix/Net Sys Admin Alphyra (Irl) Plc. Alphyra House Heather Rd. Sandyford Ind. Est. Dublin 18 tel: +353 1 217 8700 fax: +353 1 217 6039 email: [EMAIL PROTECTED]
