GSS_C_NO_NAME for desired_name?

Brian Candler B.Candler at
Sat Jan 1 09:31:29 EST 2011

On Fri, Dec 31, 2010 at 12:34:13PM -0500, Greg Hudson wrote:
> On Fri, 2010-12-31 at 06:32 -0500, Brian Candler wrote:
> > I'd like to propose this upstream, but first would like some feedback as to
> > whether this is likely to be a safe change to make, remembering that some
> > people may be using older versions of MIT, or different Kerberos libraries,
> > underneath GSSAPI.
> It's quite interoperable.
> The one potential concern is that by allowing the initiator to use any
> key in the keytab, you could potentially allow a client to authenticate
> to, say, a host service using an HTTPD service ticket, if both keys are
> in the host keytab.  That gives your httpd a way to get root access,
> potentially.

But if you were able to get a ticket for HTTP/foo, wouldn't the KDC also
give you a ticket for host/foo ?

My understanding was that Kerberos was about authentication rather than
authorization, and the KDC will happily give you a ticket for anyone that
you want to prove your identity to.  Are some people putting controls on the
issuance of tickets as a means of access control?



More information about the Kerberos mailing list