URGENT - Kerberos : Authorization

Jeffrey Altman jaltman at secure-endpoints.com
Fri Apr 23 18:58:29 EDT 2010


On 4/23/2010 2:48 PM, jacky.forestier at orange-ftgroup.com wrote:
>  
> Hi All ,
>  
> A question on the kerberos implementation ( Kerb v5-1.6) that we tested
> and are using now in experimental studies: Does this kerberos version
> allow to distinguish between different users in terms of allowing to
> grant the TGS ticket for a certain service for certain users and
> refusing the TGS ticket grant for other users.
>
> In our opinion, this is something in the Kerberos logic, otherwise why
> do Kerberos distribute TGS tickets.
>
> But, in all our experiments, any client who obtains a TGT ticket (i.e.
> successfully authenticates) is granted the TGS ticket when he asked for
> it. Given that we tested the Telnet Kerberised and FTP Kerberised
> services. 
>
> I would like to know if some one could tell me about a certain
> configuration in Kerberos that allows for example user1 to have only a
> TGS for the FTP kerberised service (and not for the Telnet Kerberised
> service) and vice-versa for user2.
>
> We understood from the standard of Kerbers (RFC 4120) that the
> authorized data field might be concerned. Is there a certain
> configuration that we need to do for this field ?
>
>  
>
> Thanks for you help
>
> Best Regards
>
> Jacky Forestier
A Kerberos KDC does not make authorization decisions.  When using
Kerberos, authorization
decisions are made at the service after the client performs a successful
authentication.

Jeffrey Altman




More information about the Kerberos mailing list