Architectural Question ...
Tony Cowan
ttcowan at us.ibm.com
Thu Feb 6 11:06:18 EST 2003
Thanks again Luke,
So you're suggesting that the common practice is to have a single principal
for the box that identifies all services rather than separate principals
for each service.
That would explain why the lesser priveleged service in your example didn't
have it's own service key, and also why it would make sense that only some
priveleged service have access to the one key. I don't quite get why the
LSA has to visit the KDC if it has the service key ....
Thanks for the tip.
As an aside, I'm working with a java JGSS-API implementation.
Thanks,
Tc.
Tony Cowan - IBM SWG Services. (ttcowan at us.ibm.com)
Phone: (206) 675 0095 Cell: (206) 280 6942
There is no tomorrow. Only a succession of todays. Don't wait too long to
figure that out.
|---------+---------------------------->
| | Luke Howard |
| | <lukeh at PADL.COM> |
| | |
| | 02/06/2003 06:49 |
| | AM |
| | Please respond to|
| | lukeh |
| | |
|---------+---------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
| |
| To: Tony Cowan/Pittsburgh/IBM at IBMUS |
| cc: kerberos at mit.edu |
| Subject: Re: Architectural Question ... |
| |
>---------------------------------------------------------------------------------------------------------------------------------------------|
If a Windows 2000 service is not running as the local system account,
then the Local Security Authority will contact the KDC to validate
the authorisation data in the ticket. This is to prevent a service
running with least privilege from forging a ticket to itself with
more privileged authorisation data.
In practice the only the Local Security Authority has access to the
service key so this attack would not be possible. It certainly adds
a layer of complexity as far as interoperability is concerned.
-- Luke
>From: ttcowan at us.ibm.com (Tony Cowan)
>Subject: Re: Architectural Question ...
>To: kerberos at mit.edu
>Date: 6 Feb 2003 06:03:30 -0800
>Organization: http://groups.google.com/
>
>> No, that's the beauty of Kerberos.
>
>Thanks Luke.
>Someone tells me they've been sniffing and found that one particular
>implementation does in fact hit the KDC to validate the ticket.
>I wonder if it's actually hitting the KDC for some other purpose.
>Getting further information perhaps .. I guess the "session" key
>should be in the original message, so it shouldn't need to fetch that
>... I wonder what else it might be.
>
>Cheers,
>Tc.
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the Kerberos
mailing list