URGENT - Kerberos : Authorization

Marcus Watts mdw at umich.edu
Fri Apr 23 18:50:45 EDT 2010 

The user <jacky.forestier at orange-ftgroup.com> urgently asks of us:
> Date:    Fri, 23 Apr 2010 15:48:32 +0200
> To:      <kerberos at mit.edu>
> From:    <jacky.forestier at orange-ftgroup.com>
> Subject: URGENT - Kerberos : Authorization
>  
> Hi All ,
>  
> A question on the kerberos implementation ( Kerb v5-1.6) that we tested
> and are using now in experimental studies: Does this kerberos version
> allow to distinguish between different users in terms of allowing to
> grant the TGS ticket for a certain service for certain users and
> refusing the TGS ticket grant for other users.
> 
> In our opinion, this is something in the Kerberos logic, otherwise why
> do Kerberos distribute TGS tickets.
> 
> But, in all our experiments, any client who obtains a TGT ticket (i.e.
> successfully authenticates) is granted the TGS ticket when he asked for
> it. Given that we tested the Telnet Kerberised and FTP Kerberised
> services. 
> 
> I would like to know if some one could tell me about a certain
> configuration in Kerberos that allows for example user1 to have only a
> TGS for the FTP kerberised service (and not for the Telnet Kerberised
> service) and vice-versa for user2.
> 
> We understood from the standard of Kerbers (RFC 4120) that the
> authorized data field might be concerned. Is there a certain
> configuration that we need to do for this field ?
> 
>  
> 
> Thanks for you help
> 
> Best Regards
> 
> Jacky Forestier
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

What you're asking for is an authorization service.  Kerberos is
an authentication service.

Usually, with authorization, you don't *just* want to ask "can foo use bar".
You typically want to ask "can foo using bar do baz".  Kerberos provides
bar the ability to know it's foo.  It's up to bar to decide if "do baz" is
allowed.  "do baz" may be more complicated than access/no access-- for
instance, a given user might be able to read or write file X, but only read
file Y.

If you go through your telnet & ftp server side configuration, you should
find things that allows you to associate kerberos principal names with
local machine identities, -- and there, upon talking to the service end, is
where you should find the rejection "you are not a valid user".  For more
complicated services, such as file access, access questions may involve
group lookups, read permissions, and so forth.

Are you using kerberized telnet/ftp from mit krb5 1.6, mit krb5 1.6.3,
the implementations in krb5-appl-1.0-signed.tar or something else
completely different?

For the mit krb5 releases (including krb5-appl), looks to me like
the next few questions to ask are:
/1/ how do you invoke telnetd?
	These will produce different behavior,
	telnetd -a X
		X = user
		X = valid
		X = none (or no -a) option
/2/ ftpd -A or -a ?
/3/ what's in ~user/.k5login?
/4/ do you have these entries in krb5.conf?
	auth_to_local_names
	auth_to_local

				-Marcus Watts

More information about the Kerberos mailing list