Concealing user principal names for realm crossover
Rick van Rein
rick at openfortress.nl
Mon Mar 16 06:46:56 EDT 2015
Hello,
Simo Sorce wrote:
>> * Is this concealment of user names considered a good idea?
>
> It may be useful
I now realise I didn’t state my purposes:
* the ability of a remote service to configure access to roles/groups, and leave the assignment of individuals to roles/groups to the sender realm
* privacy of authentication names towards remote realms that may be totally unknown
* more control over return communication by using different names towards different remote parties
>> * Is the idea of going through user/role with KDC-enforced policy good?
>
> I do not think the idea of changing principal names to be particularly
> good.
The path user at MYREALM -> user/group at MYREALM -> group at MYREALM is just one way of doing this, I suppose. It’d be a realm-internal implementation choice to do it this way. I would be interested to learn what you dislike about it?
>> * Am I correct that there are no protocol elements for it yet?
>
> No, there is Authorization Data which you should use for this kind of
> messaging. You can use the CAMMAC now to be able to assign roles in a
> custom AD and have it transported from your TGT to service tickets w/o
> further processing power spent at TGS time.
Thanks, will study.
>> * Are the ideas under (1) and (2) above worth considering?
>
> Probably not. (1) should be handle with additional Authorization Data
> (2) probably using FAST into a pkinit anonymous channel.
Thanks.
-Rick
P.S. I know this overlaps Kitten activity; I wanted to poll on this user-oriented list first.
More information about the Kerberos
mailing list