[Kdc-info] policy-as-code

Ken Raeburn raeburn at MIT.EDU
Thu May 15 02:04:46 EDT 2003 

Leif Johansson <leifj at it.su.se> writes:
> I had a discussion with Love Hörnqvist-Åstrand who had an
> interesting point concerning policy-requirements in a kdc which
> makes me dobout the long-term feasability of modelling policy in the
> directory. The argument goes something like this (Love: Please
> correct me on the list if I got you wrong, ok?):

> Today policy can be described in terms of a fixed set of parameters
> (password expiry days for instance) but this may be inadequate to
> describe more complex but necessary policy. For instance try to
> express: all */admin must have more than 4 iterations in AES or only
> requests coming from a certain set of hosts are allowed to obtain
> tickets for foo-service/foo.example.com at EXAMPLE.COM.

The "can't obtain tickets" restriction based on random parameters
bothers me.  If we don't want the user to be able to use the service,
that's an authorization issue.  Why are we preventing the user from
*authenticating* to it?  Maybe there's some perceived "level" of
authenticity that's based on the IP address or iteration count?  Fine;
express it in the tickets, and make an *authorization* decision based
on that.  But, that aside....

I don't think I'd try to express that as one single policy.  It may
make more sense to an administrator that way, and it might be nice if
the UI would present it that way, but at the KDC level, I see it as at
least multiple policies applied at various times:

 - What iteration counts are acceptable for AES for this principal?
   This is relevant at password changing time, or whenever it is you
   allow the user or administrator to tweak the iteration count.

   It's not part of the change-password protocol, last I checked.  And
   it probably won't be in the LDAP password policy stuff we want to
   see about building on.

 - What constraints or privileges are applied to a TGT or other
   initial ticket issued to a client on a particular host?
   (can/cannot get foo-service tickets, okay/not-okay for really
   paranoid services in general, "level" of authenticity, etc)

 - Is a particular client on a particular server with a particular key
   type and X parameters allowed to get initial tickets for service Z?

Applying restrictions or privileges to the TGT based on the database
entry, the PBKDF2 iteration count, the encryption type chosen (you
probably wouldn't want to allow access to foo-service using single DES
either), the client IP address, and possibly other data, that's hard
to express in any general form without a programming language.

Maybe it would be better to just allow for additional locally-defined
(or not yet standardized) options referenced by name, OID, whatever,
and implemented through local code changes, perl scripts stored as
data, etc.  For the benefit of the UI, perhaps these local policy
knobs should have names and/or descriptions accessible in some
standardized way, and probably should be collected in a list somewhere
so a confused admin can't specify a policy object that doesn't exist.
It's not like arbitrary network entities have to be able to apply
arbitrary policies, is it?

Or does this lead to the cpim mess you mentioned?

Ken

More information about the kdc-info mailing list