Cross-realm security issues
Sam Hartman
hartmans at MIT.EDU
Wed Sep 29 17:47:12 EDT 2004
>>>>> "Fredrik" == Fredrik Tolf <fredrik at dolda2000.com> writes:
Fredrik> See, I don't understand how this can be a security issue
Fredrik> at all. I mean, I realize of course that the security of
Fredrik> a principal is no greater than the security of its realm,
Fredrik> but as far as I know principals from foreign realms don't
Fredrik> get authorized unless one explicitly adds them to one's
Fredrik> ~/.k5login, isn't that so? If that truly is the case, how
Fredrik> can cross- realm authentication possibly be an issue in
Fredrik> any way?
I tend to agree with your understanding. It could be a problem if you
don't trust your users to make reasonable authorization decisions.
I think most of the concern about cross-realm security is unfounded.
--Sam
More information about the Kerberos
mailing list