Principal naming
Russ Allbery
rra at stanford.edu
Fri Jan 18 14:35:15 EST 2013
Nico Williams <nico at cryptonector.com> writes:
> There's really no point to the /admin thing: since the server requires
> INITIAL tickets there's no risk of use of stolen TGTs for accessing
> kadmin, and if you were to have different pre-authentication
> requirements for kadmin than for initial TGTs the protocol does allow
> that.
Er, it's still a good security practice to use a separate set of
credentials that you don't type into everything all the time to do your
daily work. Particularly given that we still live in a world where
there's a lot of SASL PLAIN over TLS.
It also lets you do things like assign /admin principals randomized keys
and require that people use PKINIT.
So no, there is definitely a point.
> So, yeah, I think it'd be a good idea to start making changes to kadmin
> to stop insisting on /admin principals.
There's no need to make it mandatory, but it already isn't mandatory, so I
don't know what you're talking about. You just don't like the heuristics
used when you don't explicitly specify a principal?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list