URGENT - Kerberos : Authorization
Jeff Blaine
jblaine at kickflop.net
Fri Apr 23 18:35:43 EDT 2010
What you're describing, as I read it, is authorization.
Kerberos is an authentication service.
If you would like to *authorize* certain users to
use an FTP service, I believe you should be looking
outside of Kerberos for that functionality.
On 4/23/2010 9:48 AM, jacky.forestier at orange-ftgroup.com wrote:
>
> Hi All ,
>
> A question on the kerberos implementation ( Kerb v5-1.6) that we tested
> and are using now in experimental studies: Does this kerberos version
> allow to distinguish between different users in terms of allowing to
> grant the TGS ticket for a certain service for certain users and
> refusing the TGS ticket grant for other users.
>
> In our opinion, this is something in the Kerberos logic, otherwise why
> do Kerberos distribute TGS tickets.
>
> But, in all our experiments, any client who obtains a TGT ticket (i.e.
> successfully authenticates) is granted the TGS ticket when he asked for
> it. Given that we tested the Telnet Kerberised and FTP Kerberised
> services.
>
> I would like to know if some one could tell me about a certain
> configuration in Kerberos that allows for example user1 to have only a
> TGS for the FTP kerberised service (and not for the Telnet Kerberised
> service) and vice-versa for user2.
>
> We understood from the standard of Kerbers (RFC 4120) that the
> authorized data field might be concerned. Is there a certain
> configuration that we need to do for this field ?
>
>
>
> Thanks for you help
>
> Best Regards
>
> Jacky Forestier
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list