Principal naming

[Chris Hecker]

> do you really think that people use different passwords for */admin
> principals than their regular user principals?

I do.  And, I use / a lot for test accounts and all sorts of stuff.

Chris



On 2013-01-19 15:46, Nico Williams wrote:
> On Fri, Jan 18, 2013 at 1:35 PM, Russ Allbery <rra at stanford.edu> wrote:
>> Nico Williams <nico at cryptonector.com> writes:
>>> There's really no point to the /admin thing: since the server requires
>>> INITIAL tickets there's no risk of use of stolen TGTs for accessing
>>> kadmin, and if you were to have different pre-authentication
>>> requirements for kadmin than for initial TGTs the protocol does allow
>>> that.
>>
>> Er, it's still a good security practice to use a separate set of
>> credentials that you don't type into everything all the time to do your
>> daily work.  Particularly given that we still live in a world where
>> there's a lot of SASL PLAIN over TLS.
>
> That might be true, but a) do you really think that people use
> different passwords for */admin principals than their regular user
> principals? and b) there's no reason that we couldn't have different
> credentials for this without having different identifiers.
>
>> It also lets you do things like assign /admin principals randomized keys
>> and require that people use PKINIT.
>
> kadmind could just require that hardware pre-auth have been done in
> order to allow certain operations.
>
> See also (b) above.  Granted, (b) could only work as long as kadmind
> requires INITIAL tickets, or, if it didn't, as long as the client knew
> how to request extra/different pre-auth and the KDC knew how to label
> the resulting tickets as being differently pre-authenticated.  And
> yes, we can do that.
>
>> So no, there is definitely a point.
>
> But I don't believe that distinct names is necessary for this.
>
> Nico
> --
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>