GSS_C_NO_NAME for desired_name?
Brian Candler
B.Candler at pobox.com
Sat Jan 1 09:31:29 EST 2011
On Fri, Dec 31, 2010 at 12:34:13PM -0500, Greg Hudson wrote:
> On Fri, 2010-12-31 at 06:32 -0500, Brian Candler wrote:
> > I'd like to propose this upstream, but first would like some feedback as to
> > whether this is likely to be a safe change to make, remembering that some
> > people may be using older versions of MIT, or different Kerberos libraries,
> > underneath GSSAPI.
>
> It's quite interoperable.
>
> The one potential concern is that by allowing the initiator to use any
> key in the keytab, you could potentially allow a client to authenticate
> to, say, a host service using an HTTPD service ticket, if both keys are
> in the host keytab. That gives your httpd a way to get root access,
> potentially.
But if you were able to get a ticket for HTTP/foo, wouldn't the KDC also
give you a ticket for host/foo ?
My understanding was that Kerberos was about authentication rather than
authorization, and the KDC will happily give you a ticket for anyone that
you want to prove your identity to. Are some people putting controls on the
issuance of tickets as a means of access control?
Regards,
Brian.
More information about the Kerberos
mailing list