URGENT - Kerberos : Authorization

jacky.forestier@orange-ftgroup.com jacky.forestier at orange-ftgroup.com
Fri Apr 23 09:48:32 EDT 2010


 
Hi All ,
 
A question on the kerberos implementation ( Kerb v5-1.6) that we tested
and are using now in experimental studies: Does this kerberos version
allow to distinguish between different users in terms of allowing to
grant the TGS ticket for a certain service for certain users and
refusing the TGS ticket grant for other users.

In our opinion, this is something in the Kerberos logic, otherwise why
do Kerberos distribute TGS tickets.

But, in all our experiments, any client who obtains a TGT ticket (i.e.
successfully authenticates) is granted the TGS ticket when he asked for
it. Given that we tested the Telnet Kerberised and FTP Kerberised
services. 

I would like to know if some one could tell me about a certain
configuration in Kerberos that allows for example user1 to have only a
TGS for the FTP kerberised service (and not for the Telnet Kerberised
service) and vice-versa for user2.

We understood from the standard of Kerbers (RFC 4120) that the
authorized data field might be concerned. Is there a certain
configuration that we need to do for this field ?

 

Thanks for you help

Best Regards

Jacky Forestier




More information about the Kerberos mailing list