> do you really think that people use different passwords for */admin > principals than their regular user principals?
I do. And, I use / a lot for test accounts and all sorts of stuff. Chris On 2013-01-19 15:46, Nico Williams wrote: > On Fri, Jan 18, 2013 at 1:35 PM, Russ Allbery <[email protected]> wrote: >> Nico Williams <[email protected]> writes: >>> There's really no point to the /admin thing: since the server requires >>> INITIAL tickets there's no risk of use of stolen TGTs for accessing >>> kadmin, and if you were to have different pre-authentication >>> requirements for kadmin than for initial TGTs the protocol does allow >>> that. >> >> Er, it's still a good security practice to use a separate set of >> credentials that you don't type into everything all the time to do your >> daily work. Particularly given that we still live in a world where >> there's a lot of SASL PLAIN over TLS. > > That might be true, but a) do you really think that people use > different passwords for */admin principals than their regular user > principals? and b) there's no reason that we couldn't have different > credentials for this without having different identifiers. > >> It also lets you do things like assign /admin principals randomized keys >> and require that people use PKINIT. > > kadmind could just require that hardware pre-auth have been done in > order to allow certain operations. > > See also (b) above. Granted, (b) could only work as long as kadmind > requires INITIAL tickets, or, if it didn't, as long as the client knew > how to request extra/different pre-auth and the KDC knew how to label > the resulting tickets as being differently pre-authenticated. And > yes, we can do that. > >> So no, there is definitely a point. > > But I don't believe that distinct names is necessary for this. > > Nico > -- > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
