[krbdev.mit.edu #5596] patch for providing a way to set the ok-as-delegate flag

DEEngert@anl.gov via RT rt-comment at krbdev.mit.edu
Wed Jul 18 16:20:12 EDT 2007 


nalin at redhat.com via RT wrote:
> On Wed, Jul 18, 2007 at 02:01:31PM -0400, DEEngert at anl.gov via RT wrote:
>> It does not require the client to delegate!  The Sandia mods are enforcing
>> a local policy that will only delegate if the KDC says the server is trusted,
>> and the client requests delagation, i.e. called krb5_fwd_tgt_creds() In effect
>> doing what Windows clients and AD do by default.
> 
> Maybe I'm coming at this from the wrong direction.  Is the intent to be
> able to disallow credential delegation in cases when the application is
> specifically requesting it?


The intent was to not allow users to setup rogue servers on their workstations
in order to entice other users to forward credentials so they can be misused.

In a Windows environment, the only windows servers are controlled by the AD
admins, such as CIFS and LDAP, and they set the OK_TO_DELEGATE bits on these
"trusted" servers. So the client will only delegate if the AD say it is OK.

There is a discussion going on in the mod_auth_kerb about OK_TO_DELEGATE
so the problem of rouge web servers obtaining credentials is a problem.
Java 1.7(?) will have some ok-to-delegate checks as well.

Unfortunately in a unix environment, many time you want to forward to a
workstation, like to get AFS tokens, or to run a ssh or scp and thus almost
any workstation could be considered a "server".


So it might depend on the application as to whether it should take the KDC's
advice. For example:  SSH in the ssh_config with the Host sections containing
  GSSAPIDelegateCredentials yes
could be considered as a "local policy" rule to ignore the OK_TO_DELEGATE

But with mod_auth_kerb and SPNEGO you always want check the OK_TO_DELEGATE
flag, you don't want users giving away credentials to the wrong servers.

So it is not obvious to me how to have GSSAPI decide if the OK_TO_DELEGATE
bit should be checked.  Another GSS_ flag to gs_init_sec_context?
an option in the krb5.conf saying which service  names should check it?
like:

   check_ok_to_delegate = HTTP, LDAP; (but not host)

  Meaning if the service is HTTP or LDAP only forward if the KDC says OK,
  and the application requests delegation otherwise ignore the KDC's advice.





> 
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krb5-bugs mailing list