manage access to services

Jeffrey Altman jaltman2 at
Fri Feb 25 10:11:24 EST 2005

paul b wrote:

> According to your answer, the TGS gives a ticket to a service to each
> user requesting, as soon as he presents a valid TGT if I understood
> well?
> Is there no possibility to do an additional access control on the TGS
> that only gives tickets to a user for the services which he is allowed
> to use(sort of acl)?

Access control is not the responsibility of the KDC's TGS, so the answer 
is 'no'.

 > Once the client is authenticated, is the communication between the
 > client and the server encrypted(with the session key in the ticket) or
 > does all the trafic pass in clear text by default. I read some docs
 > and their content was contradictory, perhaps u can clear me this point
 > to?

The Kerberos authentication provides the client and server with a shared
key which only the two of them know about.  Whether or not this key is
used to encrypt the session data is up to the application protocol.

Jeffrey Altman

More information about the Kerberos mailing list