Cross-realm security issues

Sam Hartman hartmans at MIT.EDU
Wed Sep 29 17:47:12 EDT 2004


>>>>> "Fredrik" == Fredrik Tolf <fredrik at dolda2000.com> writes:

    Fredrik> See, I don't understand how this can be a security issue
    Fredrik> at all. I mean, I realize of course that the security of
    Fredrik> a principal is no greater than the security of its realm,
    Fredrik> but as far as I know principals from foreign realms don't
    Fredrik> get authorized unless one explicitly adds them to one's
    Fredrik> ~/.k5login, isn't that so? If that truly is the case, how
    Fredrik> can cross- realm authentication possibly be an issue in
    Fredrik> any way?

I tend to agree with your understanding.  It could be a problem if you
don't trust your users to make reasonable authorization decisions.


I think most of the concern about cross-realm security is unfounded.

--Sam



More information about the Kerberos mailing list