Kerberos Feature Request
Daniel Kouril
kouril at ics.muni.cz
Thu Feb 12 05:17:13 EST 2004
On Wed, Feb 11, 2004 at 01:02:50PM -0500, Frank Balluffi wrote:
> Daniel,
>
> Regarding passing authorization data in an AS-REQ, the Microsoft KDC
> allows a client to specify whether to put PAC data in a ticket or not (see
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp).
> I am not convinced it is a good idea for a client to specify its
> authorization data. Might such a mechanism allow a user to increase its
> privileges?
Frank,
who else than the client knows what exact privileges she currently needs? I
can imagine a situation where I have an separate (for example) role-based
authZ service which issues "certificates" stating that I'm an common user.
These authz certificates I use most of time (and pass it to the services who
can process such certificates). When I need to do some administrative task,
I'll ask the authZ service for another certificate with admin privileges and
pass it on to the end service (as part of the authentication process,
possibly). I would like if this can be done without KDC. Does it make sense?
--
Daniel
More information about the krbdev
mailing list