Kerberos Feature Request

Derek Atkins warlord at MIT.EDU
Wed Feb 11 12:49:37 EST 2004

Daniel Kouril <kouril at> writes:

> Henry B. Hotz wrote:
>> I'm not sure if we're on the same wavelength or not.  Let me try again:
>> I think there should be a standard way to fill in PAC data from
>> outside the KDC.
> I'm not sure if I'm not missing something but could you tell me why
> KDC should do that? If I'm not mistaken, the user can put into the
> AS-REQ message any authorization data she wants and the KDC just copy
> them to the ticket, am I right? If so, then the client can propagate
> to the ticket all authorization data she needs without any
> intervention of KDC. I think this is very useful solution in a world
> of multiple authorization mechanisms, which can use very different
> formats of representations of the authorization attributes. It also
> allows users to build authorization data according their current needs.

Cool, I can assert "this user is god and should have full access to
all services" into the PAC data and the KDC will just pass it along..

Seriously, there needs to be an "Authorization Service" (AuthN) that
sits along-side the "Authentication Service" (AuthZ).  I'm not saying
whether or not these services are combined or separate, but the AuthZ
service needs to be just as secure as the AuthN service.  You can't
just ask the user to present the AuthZ data to the KDC to be signed.

> cheers,
> --
> Daniel

       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list