Douglas E. Engert
deengert at anl.gov
Tue May 18 10:35:46 EDT 2004
Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <william.fiveash at sun.com> writes:
> Will> I would think that the destination kdc should be able to
> Will> enforce a trusted path policy globally for the realm it
> Will> serves and not issue tickets for those requests that don't
> Will> conform to that policy. Of course an application server
> Will> should have the option to do it's own checking in the
> Will> circumstance that it's policy is more strict than the kdc's.
> The problem with this approach is that it makes it hard for people to
> have trust relationships the KDC does not know about. Certainly you
> should have to do explicit configuration to accept tickets that the
> KDC has not approved.
But the policy of the KDC does not have to reject every request, it
may only reject requests involving selective services or selective
realms, or even selective users.
With two extra bits in the KDC database, you could do both:
Add a NO_KDC_CHECK bit, to the service entry. The KDC would not
check the transited field, or other policies, as it will leave it
up to the service. Very usefull for cross realm TGTs.
KDC_CHECK_ALL bit, the KDC should do all checking for the service,
and then set the TRANSITED-POLICY-CHECKED bit. Usefull for most servivces
or where the admin knows the service may not be checking what it should.
If neither bit is on, then the KDC may do some checking, if it wants.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev