ACL for Constrained Delegation?
Simo Sorce
simo at redhat.com
Thu Feb 20 17:29:13 EST 2014
On Thu, 2014-02-20 at 22:36 +0100, Rick van Rein wrote:
> Hello Simo,
>
> I had a look at the project page KerberosDelegationACL, and one thing struck me as odd about the specification.
>
> * lack of AllowToImpersonate means ALL clients can be impersonated.
>
> This appears non-intuitive to me; moreover, treating the “zero case” in a special way almost always leads to trouble, exceptions and security hazards. If not in code, then it usually confuses the security admin or surrounding scripts.
>
> I have no idea if this is too late, but the following follows IMHO a more consistent / logical line while retaining expressiveness:
>
> * lack of the Krb5DelegationACL class means that NO access control restrictions are applied
> * lack of AllowToImpersonate means NO clients can be impersonated
> * to impersonate ALL clients, use a suitable regex memberPrincipal
>
>
> FWIW :)
Too late :-)
In the default case you generally allow all in these situations.
This compromise comes fro the fact that there is no real grouping
mechanism in the KDC nor a way to experess the concept of "all", a regex
would not really do it nuless you are thinking of ".*"
We could change the code so that you have to add the literal "ALL"
maybe, I am not opposed, and could easily migrate FreeIPA users to that
syntax.
Shawn, what do you think ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list