On Sun, 2009-03-08 at 13:00 -0700, Russ Allbery wrote: > Mikkel Kruse Johnsen <[email protected]> writes: > > > Firefox: Type "about:config" in the Location bar. Type "nego" in the > > filter and dobbelt click "network.negotiate-auth.delegation-uris" and > > "network.negotiate-auth.trusted-uris" and type in your domain name (in > > my example I have "cbs.dk" in both) > > Be aware that doing this will cause your browser to promiscuously send > your credentials to every server in that domain with a valid HTTP/* > principal in your KDC and allow that server to impersonate you to any > other service. This may be what you want to do, but it's worth thinking > carefully about the implications before you do it. > > For example, if you're an educational site that allows students to obtain > HTTP/* principals for their own systems, you *don't* want to do this.
Isn't a feature of Kerberos to be able to limit the powers that one delegates using proxiable tickets? If I understand correctly, it should be possible to delegate for the server to impersonate you only to the LDAP service on host ldap.example.com instead of forwarding your krbtgt. > -- Loren M. Lang [email protected] http://www.alzatex.com/
smime.p7s
Description: S/MIME cryptographic signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
