Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR

Jeffrey Hutzelman jhutz at cmu.edu
Tue Jun 24 12:31:03 EDT 2008 

--On Wednesday, June 18, 2008 04:54:04 PM -0400 Ken Raeburn 
<raeburn at MIT.EDU> wrote:

> On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
>> I believe that the meaning of allow_tix should be altered such that
>> it only applies to the client
>> in a TGS or AS request.  This would permit -allow_tix to be applied
>> to a service principal
>> and ensure that no client ticket requests can be satisfied for that
>> service principal while at
>> the same time permitting other principals to obtain service tickets.
>> Organizations that wish to disable the issuance of service tickets
>> for the service principal
>> would apply -allow_svr to the principal in addition to -allow_tix.
>
> I think it should be pointed out that such a change would allow
> tickets to start being issued where currently they would not when the
> KDC software gets updated -- even if the latter really was the intent
> of the realm administrator.  Because of that, we might instead want to
> create a new flag with the semantics Jeff wants, and leave the
> existing flag with its current (suboptimal) behavior.

I don't consider the current behavior of -allow_tix to be suboptimal.  Its 
effect is to completely and totally disable a principal for all uses, which 
is a desirable thing to be able to do from an administrative point of view, 
separately from the ability to specify "this principal can only be used as 
a client" (-allow_svr) or "this principal can only be used as a service 
(the new flag Jeff is asking about).

Note that there is a justification for having -allow_svr without 
-allow_clt.  The former, when used with a policy requiring the use of 
preauth, prevents an attacker from asking the KDC for ciphertext to be used 
in a long-term attack against a principal's key.  This is particularly 
useful for principals belonging to human users, whose keys are often 
derived from passwords with fairly low entropy.  While -allow_clt may be a 
useful policy for administrative purposes, it doesn't serve the same kind 
of security goal.

-- Jeff

More information about the Kerberos mailing list