capaths questions

Sam Hartman hartmans at MIT.EDU
Tue May 18 11:45:47 EDT 2004

>>>>> "Douglas" == Douglas E Engert <deengert at> writes:

    Douglas> But the policy of the KDC does not have to reject every
    Douglas> request, it may only reject requests involving selective
    Douglas> services or selective realms, or even selective users.

I do agree you can do this.  I also suspect our KDC will retain the
feature although the default mode will change.

But this gets in to an area best described as authorization rather
than authentication.  Traditionally the Kerberos community believes
that authorization decisions should in general be left to applications.

Note that I'm using should very close to its RFC 2119 meaning; as a
general policy KDCs should be permissive in this regard.  AS a general
policy application servers should be restrictive.  Other options will
also be necessary for environments that need them.

More information about the krbdev mailing list