Kerberos Feature Request
Sam Hartman
hartmans at MIT.EDU
Wed Feb 11 13:39:27 EST 2004
>>>>> "Frank" == Frank Balluffi <frank.balluffi at db.com> writes:
Frank> Daniel, Regarding passing authorization data in an
Frank> AS-REQ, the Microsoft KDC allows a client to specify
Frank> whether to put PAC data in a ticket or not (see
Frank> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnker
Frank> b/html/MSDN_PAC.asp). I am not convinced it is a good idea
Frank> for a client to specify its authorization data. Might such
Frank> a mechanism allow a user to increase its privileges? Frank
Folks, this discussion has drifted far enough away from reality that
it is no longer appropriate for krbdev. Even if it drifts back to
reality it's all been fairly well hashed out before.
1) You cannot add authorization data in an AS request, only a TGS
request.
2) There are mechanisms to deal with avoiding increasing privileges.
Please read Kerberos clarifications. Particularly look at the KDC-ISSUED authorization data.
If someone wants to propose a plugin API or more interestingly to
implement it, discussing that here on krbdev would be fine.
More information about the krbdev
mailing list