RX Kerberos 5 security class requirements of Kerberos library

Jeffrey Altman jaltman at secure-endpoints.com
Tue Jan 2 12:24:29 EST 2007 

Sam Hartman wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
>
>     Jeffrey> Before I submit a patch, is the concept of
>     Jeffrey> krb5_generate_creds_with_keytab something that MIT and
>     Jeffrey> Heimdal would accept?  If so, a patch can be ready in a
>     Jeffrey> few hours.
>
> I'm very uncomfortable with this.  IT takes the KDC out of the loop
> for generating service tickets.  I'm not sure how it will interact
> with future plans for use of authorization data, ticket extensions,
> etc.
>
> --Sam
>
Sam:

This function is being written explicitly to provide service to service
authentication when the services share the same key.   The two scenarios
are:

 * Service A authenticates as service A to service B where the two
services share the same key

 * Service A authenticates as authenticated user U to service B where
Service A is trusted to do so.
    (Think Samba or WebDAV export of AFS without credential delegation
of the client's credentials.)

This provides a benefit to services that rely on the Kerberos 5 ticket
format as an internal authentication token format.  As Love has pointed
out privately, krb5_generate_creds_with_keytab provides functionality
that already exists within Heimdal.  Love implemented similar
functionality so that Samba can authenticate clients via SPNEGO and then
forge
AFS tokens that permit authenticated access to the AFS servers.   This
same idea
has also been applied to WebDAV.  Such functionality does have
limitations and is
certainly not general purpose, but I don't believe it has to be.

Without krb5_generate_creds_with_keytab there are two alternatives that
AFS can pursue:

(1) AFS can use the keytab entry to query the KDC for a ticket for itself.
    Doing so removes the ability of multiple AFS services on the same
machine
    to communicate when the network connection goes down unless there is a
    KDC instance on the machine.

(2) AFS can use a token format that is independent of the Kerberos 5 ticket
    in which case AFS can print as many tokens as it wants without
contacting
    the KDc.

Do you have any further thoughts on the subject?

Thanks.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070102/3a47f6c0/attachment.bin

More information about the krbdev mailing list