disallow requests naming principal as a service

Sam Hartman hartmans at MIT.EDU
Wed Mar 27 15:35:01 EST 2002

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at ubsw.com> writes:

It is
    Nicolas> generally the case that Kerberos clients fetch service
    Nicolas> tickets before attempting to connect to the services,
    Nicolas> after all. 

No, actually, neither SASL nor GSSAPI SPNEGO nor the GSSAPI support in
Ssh does this.  In IETF protocols that use Kerberos, you tend to have committed to Kerberos before you get the service ticket.

My main problem with the KDC negotiation of U2U is that encouraging
its use encourages bad protocol design.  We want people to negotiate
whether to use Kerberos at all; when they do that negotiation they
might as well do the U2U negotiation at the same time.  So for
properly designed protocols the KDC negotiation is unnecessary.

I understand the value for some existing protocols and agree that
support for the error return is justified.

    Nicolas> That said, negotiation of U2U at the KDC
    Nicolas> exchange looks really rickety - at the very least it
    Nicolas> would be nice to have authenticated plaintext.

    Nicolas> I'd rather that the app know a priori. If it can't know
    Nicolas> then I don't mind it negotiating U2U vs. traditional AP
    Nicolas> exchange at the TGS exchange.  
OK, we seem to be in agreement here.

More information about the krbdev mailing list