Kerberized authorization service

Jeffrey Altman jaltman at secure-endpoints.com
Mon Feb 11 10:38:40 EST 2008 

Ken Hornstein wrote:
> DCE tried to put authz data into Kerberos, and I think everyone would
> agree that DCE has been a failure.  Now obviously putting authz data
> into Kerberos is not the reason that they failed, but it just shows
> one of the fundamental problems with DCE - over-engineering.  You could
> bring up Microsoft as a counter-example.  That would be true, but Microsoft
> has the advantage of having tons of paid programmers to implement their
> designs and they control all aspects of their software at all levels.
> In the open-source world we do not have those luxuries ... we need to
> be able to have designs that are simple to implement and understand, and
> we need to be able to play nicely in heterogenous environments.
 From my perspective the problem with DCE and Active Directory is not 
that they
store authz data in the Kerberos ticket.  Doing so addresses a large 
number of issues
associated with partially connected network graphs and and mobile clients.

Where I believe there is a failure is that they do not provide the 
alternative model
as well.  A service should not have to trust the authz in the service 
ticket if it believes
that it might be out of date.  In federated environments, the authz 
decision should be
made by the organization that owns the service and that organization 
should not be
forced to stuff additional authz data into the issued service ticket.  
Note that in the
Kerberos cross-realm model the cross-realm TGT is not issued by the 
organization
performing the authz, so there is additional overhead associated for the 
KDC in
reconstructing the authz data for each service ticket that is issued.  
Finally, for compatibility
with pre-existing service protocols that have credential size 
limitations there needs
to be methods of disabling the issuance of authz not only TGS-REPs for 
general services
but for cross-realm TGTs as well.

The Kerberos API krb5_userok() comes fairly close to having the correct 
interface.
The problem with the implementation is that there is no pluggable mechanism
for calling out to an authz service.  Recompiling the libraries for each 
organization's
authz model is not usable.  I believe the model needs to have the following
components:

1. a mutually authenticated channel between the service issuing the 
query and the
    authz service
2. the protocol should provide
    a. identity of the requesting service (obtained through mutual 
authentication of the channel)
    b. name of client as trusted by the service
3. the protocol should return
    a. yes or no response
    b. reason for a no response that can be returned to the client
    c. (optional) authz data (group memberships, rights, etc.) as of the 
present time

That is my two cents worth ...

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080211/e3e244c5/attachment.bin

More information about the Kerberos mailing list