Kerberos Feature Request
Frank Balluffi
frank.balluffi at db.com
Wed Feb 11 13:02:50 EST 2004
Daniel,
Regarding passing authorization data in an AS-REQ, the Microsoft KDC
allows a client to specify whether to put PAC data in a ticket or not (see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp).
I am not convinced it is a good idea for a client to specify its
authorization data. Might such a mechanism allow a user to increase its
privileges?
Frank
Daniel Kouril <kouril at ics.muni.cz>
Sent by: krbdev-bounces at mit.edu
02/11/2004 11:38 AM
To: "Henry B. Hotz" <hotz at jpl.nasa.gov>
cc: krbdev at mit.edu, Sam Hartman <hartmans at mit.edu>, Byrne
<Dj.Byrne at jpl.nasa.gov>
Subject: Re: Kerberos Feature Request
Henry B. Hotz wrote:
> I'm not sure if we're on the same wavelength or not. Let me try again:
>
> I think there should be a standard way to fill in PAC data from outside
> the KDC.
I'm not sure if I'm not missing something but could you tell me why KDC
should do that? If I'm not mistaken, the user can put into the AS-REQ
message any authorization data she wants and the KDC just copy them to
the ticket, am I right? If so, then the client can propagate to the
ticket all authorization data she needs without any intervention of KDC.
I think this is very useful solution in a world of multiple
authorization mechanisms, which can use very different formats of
representations of the authorization attributes. It also allows users to
build authorization data according their current needs.
cheers,
--
Daniel
_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list