Principal naming

[Nico Williams]

On Fri, Jan 18, 2013 at 1:35 PM, Russ Allbery <rra at stanford.edu> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>> There's really no point to the /admin thing: since the server requires
>> INITIAL tickets there's no risk of use of stolen TGTs for accessing
>> kadmin, and if you were to have different pre-authentication
>> requirements for kadmin than for initial TGTs the protocol does allow
>> that.
>
> Er, it's still a good security practice to use a separate set of
> credentials that you don't type into everything all the time to do your
> daily work.  Particularly given that we still live in a world where
> there's a lot of SASL PLAIN over TLS.

That might be true, but a) do you really think that people use
different passwords for */admin principals than their regular user
principals? and b) there's no reason that we couldn't have different
credentials for this without having different identifiers.

> It also lets you do things like assign /admin principals randomized keys
> and require that people use PKINIT.

kadmind could just require that hardware pre-auth have been done in
order to allow certain operations.

See also (b) above.  Granted, (b) could only work as long as kadmind
requires INITIAL tickets, or, if it didn't, as long as the client knew
how to request extra/different pre-auth and the KDC knew how to label
the resulting tickets as being differently pre-authenticated.  And
yes, we can do that.

> So no, there is definitely a point.

But I don't believe that distinct names is necessary for this.

Nico
--