Kerberized authorization service

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Feb 11 11:25:18 EST 2008


>I think this has all the elements Jeff thought were essential
>except for:
>   1) a text reason for no  <-- not seeing what you would say -- "no means no"?

Let's say, for example, you wanted to require hardware preauthentication for
some services (I doubt _you_ would, but that is something that we do).  You
could return a message that says, "Hardware preauthentication is required
to access this system".  Or you might want to return a message of the
form, "Kerberos principal kenh at CMF.NRL.NAVY.MIL is not permitted to login to
account hascall".  Or you might want to return the message, "You're fired,
piss off!".  Or ... well, you get the idea.

I could maybe see the argument that this might be a security issue; if
you think that's the case, the hypothetical authz server could simply
return "Permission denied" for every failure.  But if the error text is
returned by the server, that gives you the option of adding more useful
error messages in the future.  Me, I've found that the more useful of
an error message you can return, the easier time you have in terms of
user support.

--Ken



More information about the Kerberos mailing list