manage access to services

paul b bisibis at
Fri Feb 25 08:45:01 EST 2005

According to your answer, the TGS gives a ticket to a service to each
user requesting, as soon as he presents a valid TGT if I understood

Is there no possibility to do an additional access control on the TGS
that only gives tickets to a user for the services which he is allowed
to use(sort of acl)?


Jeffrey Altman <jaltman2 at> wrote in message news:<QEnTd.13666$qn2.2870712 at>...
> Access control is not enforced by the TGS.  The TGS provides service
> tickets which allow a client to authenticate itself to the application
> service.  It is the responsibility of the application service to consult
> an authorization database to determine what permissions (if any) the
> client may be granted.
> Jeffrey Altman
> paul b wrote:
> > Hello,
> > I have a question about managing the access to the different services
> > in Kerberos.
> > 
> > When I have my TGT and I ask the TGS to get access to a specific
> > service(for ex. kerberized FTP), how does the TGS know if I have the
> > right to access this server. Is there any database on the TGS that
> > contains the information which user has access to which service or
> > does the TGS the TGT in any case and the access rights are managed on
> > the server offering the service.
> > 
> > My second question is how can I specify which user has access to which
> > service? Are there commands on the TGS(eventually to add users to a
> > database managing the rights???) or do I have to specify the user
> > rights on the server offering the service
> > 
> > Thank u very much in advance
> > 
> > CB

More information about the Kerberos mailing list