On 21 Jan 2002, Sam Hartman wrote: > Yes, unfortunately it might be possible to do this. This means > someone might do it. Depending on how they did it they would > either create a security problem or an interoperability problem.
shouldnt be an interoperability problem should it? it would be completely internal to the KDC. at worst a principal is denied a service ticket request. ?? > Kerberos assumes that authentication does not imply authorization. indeed. and while such a policy would be admirable, the reality of how applications are implemented makes it difficult to work with so. > If people start writing and deploying services without such > authorization checks then running those services against standard > KDCs would create a security problem. unfortunately i know of very few applications that implement such checking (unless GSSAPI has some internal checking code and some config file i dont know about). most i know of use the libraries and just allow you to select between various auth methods. or you use pam and pam_krb5. (which afaict has no method of applying policy). > YYou're better off adopting a privilege certificate solution like > DCE or Microsoft or using a directory like LDAP to store > authorization information. indeed, but again not all apps support this. now, most services would require there to be a valid user in some information directory or somesuch. so, eg having a foo/bar principal key would not be of any use to 'login to a remote' account via SSH. Also, i can deny users within the ssh configuration. and most services would require a user exist (eg via some directory accessible to libc), but it still doesnt give me a 'warm feeling' that some application that didnt have a requirement for a user to exist, and that didnt implement policy checks for principals would be accessible to any principal. given that in the real world, very few applications support policy checking of principals against some directory, is there any reason not to at least have the facility of applying policy within the KDC? (it would be convenient at least). regards, Paul Jakma.
