capaths questions

Douglas E. Engert deengert at
Tue May 18 10:35:46 EDT 2004

Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <william.fiveash at> writes:
>     Will> I would think that the destination kdc should be able to
>     Will> enforce a trusted path policy globally for the realm it
>     Will> serves and not issue tickets for those requests that don't
>     Will> conform to that policy.  Of course an application server
>     Will> should have the option to do it's own checking in the
>     Will> circumstance that it's policy is more strict than the kdc's.
> The problem with this approach is that it makes it hard for people to
> have trust relationships the KDC does not know about.  Certainly you
> should have to do explicit configuration to accept tickets that the
> KDC has not approved.

But the policy of the KDC does not have to reject every request, it
may only reject requests involving selective services or selective 
realms, or even selective users. 

With two extra bits in the KDC database, you could do both:

 Add a NO_KDC_CHECK bit, to the service entry. The KDC would not
 check the transited field, or other policies, as it will leave it 
 up to the service. Very usefull for cross realm TGTs. 

 KDC_CHECK_ALL bit, the KDC should do all checking for the service, 
 and then set the TRANSITED-POLICY-CHECKED bit. Usefull for most servivces
 or where the admin knows the service may not be checking what it should.   

If neither bit is on, then the KDC may do some checking, if it wants.     


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list