krb5-1.5-alpha1 is available
Sam Hartman
hartmans at MIT.EDU
Fri Jun 2 12:05:31 EDT 2006
>>>>> "greg" == greg <greg at enjellic.com> writes:
>> We're probably not all that interested in plugins that would
>> encourage violation of RFC 4120, but we are definitely
>> interested in preauth and authz_data plugins.
greg> I would be interested in your definition of violating
greg> RFC4120. One would certainly not want to violate the form
greg> in which things fly over the wire.
greg> That being said there would seem to be a number of reasons
greg> for the interception of AS_REQ and TGS_REQ handling.
greg> Consider authorization.
greg> Within our identity model every service conveyed by an
greg> organization to an individual is considered a service
greg> subject to authorization. This includes Kerberos
greg> authentication. Turning off authorization for Kerberos
greg> denies the user the ability to obtain a TGT.
That's fine and for example our database has a flag for that.
What would concern me though is a model where for example KDCs were
expected to deny service tickets if a user did not have access to a
service. It's fairly core to Kerberos that issuing a ticket says
nothing about authorization. (The authorization data within the
ticket may make authorization claims).
--Sam
More information about the krbdev
mailing list