ACL for Constrained Delegation?

Simo Sorce simo at redhat.com
Thu Feb 20 17:29:13 EST 2014


On Thu, 2014-02-20 at 22:36 +0100, Rick van Rein wrote:
> Hello Simo,
> 
> I had a look at the project page KerberosDelegationACL, and one thing struck me as odd about the specification.
> 
>  * lack of AllowToImpersonate means ALL clients can be impersonated.
> 
> This appears non-intuitive to me; moreover, treating the “zero case” in a special way almost always leads to trouble, exceptions and security hazards.  If not in code, then it usually confuses the security admin or surrounding scripts.
> 
> I have no idea if this is too late, but the following follows IMHO a more consistent / logical line while retaining expressiveness:
> 
>  * lack of the Krb5DelegationACL class means that NO access control restrictions are applied
>  * lack of AllowToImpersonate means NO clients can be impersonated
>  * to impersonate ALL clients, use a suitable regex memberPrincipal
> 
> 
> FWIW :)

Too late :-)

In the default case you generally allow all in these situations.

This compromise comes fro the fact that there is no real grouping
mechanism in the KDC nor a way to experess the concept of "all", a regex
would not really do it nuless you are thinking of ".*"

We could change the code so that you have to add the literal "ALL"
maybe, I am not opposed, and could easily migrate FreeIPA users to that
syntax.

Shawn, what do you think ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list