Conceptual Questions.

Ken Raeburn raeburn at MIT.EDU
Wed Apr 23 12:18:42 EDT 2008

On Apr 23, 2008, at 03:10, Tadoori (EXT), Vilas wrote:
> Hi All,
> I have few questions and would appreciate if you can help me out on  
> the
> same.
> 1) Is it possible for the  client-side application to obtain a  
> security
> token from the Host OS without talking to the Kerberos server ?

In theory, you can use a service's secret key (such as that of the  
"host" service, used for login-type services) to create credentials  
that can be sent to the service and "prove" the sender to be, well,  
anyone you want.  For example, a setuid-root program could look at the  
uid invoking it and print up credentials using the associated user name.

However, these credentials cannot be used with any other service, only  
with that one.  The Authentication Service and Ticket-Granting Service  
on the KDC are the only ones that can generate credentials useable  
with other services.

So, if you're looking for generally-useable credentials for network  
services, the answer is probably "no".

> 2) What are the types of tokens one can obtain from an Kerberos  
> server?
> For example, can a token be obtained that allows a receiver to vend
> additional tokens?

No.  Without knowing the secret keys, you can't print up new  
credentials.  That's what makes the AS/TGS special -- it's got all the  

> Or, that a token can be issued which limits the user
> to use with a certain application?

Technically, any credential is valid for use with exactly one service  
principal name.  Multiple applications may use the same service  
principal (e.g., ssh and rlogin and telnet all use the "host"  
service), or it may be more special-purpose (e.g., "imap").  The  
Kerberos protocol and implementations do not care.  So you could get  
an initial ticket for "imap", instead of a TGT, and then IMAP is all  
you could access.  It's not clear to me if this is the sort of thing  
you're thinking about.

There's an "authorization data" field which can impose restrictions on  
what the user is allowed to do, but the MIT implementation doesn't  
really make much use of it yet, and there isn't much in the way of  
specifications for its use, aside from Microsoft's PAC data.  I  
suppose it might be used to say, "ssh good, rlogin bad", if you only  
want to allow a subset of the available services that share a service  
principal name, but it would take some work.  And depending on your  
setup, access control lists might be a better way.

Does this help?

Ken Raeburn, Senior Programmer
MIT Kerberos Consortium

More information about the Kerberos mailing list