Cross-realm security issues

Fredrik Tolf fredrik at
Wed Sep 29 19:30:07 EDT 2004

On Wed, 2004-09-29 at 21:59 +0000, Sam Hartman wrote:
> >>>>> "Fredrik" == Fredrik Tolf <fredrik at> writes:
>     Fredrik> See, I don't understand how this can be a security issue
>     Fredrik> at all. I mean, I realize of course that the security of
>     Fredrik> a principal is no greater than the security of its realm,
>     Fredrik> but as far as I know principals from foreign realms don't
>     Fredrik> get authorized unless one explicitly adds them to one's
>     Fredrik> ~/.k5login, isn't that so? If that truly is the case, how
>     Fredrik> can cross- realm authentication possibly be an issue in
>     Fredrik> any way?
> I tend to agree with your understanding.  It could be a problem if you
> don't trust your users to make reasonable authorization decisions.

If that is the case, I would rather see that there would be a global
directive in /etc/krb5.conf that would disallow _authorization_ from
foreign realms, regardless of individual users' authorization settings.
I don't think that the authentication should be invalid just because one
don't trust one's users with authorization.

> I think most of the concern about cross-realm security is unfounded.

I'm glad to hear that. In my opinion, it would be very nice if Kerberos
could, in conjunction with DNS (maybe DNSSEC?), would form a global
authentication system, in the same spirit in which DNS forms a global
information database.

Fredrik Tolf

More information about the Kerberos mailing list