RX Kerberos 5 security class requirements of Kerberos library
jaltman at secure-endpoints.com
Wed Jan 3 09:19:49 EST 2007
Sam Hartman wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
> Jeffrey> Marcus Watts wrote:
> >> Sam Hartman <hartmans at mit.edu> writes:
> >>>>>>>> "Marcus" == Marcus Watts <mdw at umich.edu> writes:
> Marcus> I hope that answer's Sam's concerns regarding not going
> Marcus> through the KDC for this code path.
> >>> Not entirely. I definitely think that when there is a KDC
> >>> available that you should use it. I'm willing to accept that
> >>> you might want a fallback for talking to local services when
> >>> you have a key and no network.
> >>> --Sam
> >> Ok. Let's talk about that. How does the AFS "server-side"
> >> client code know when the KDC is up? What value is the KDC
> >> going to add in participating in this process? What use is
> >> another AFS server going to put in whatever might be provided
> >> by the KDC that couldn't be constructed directly by the remote
> >> server? How can that AFS server know that any such added data
> >> was in fact authentic secure data added by the KDC and not just
> >> something made up by another server with access to the service
> >> key? I can think of a lot of interesting things that might be
> >> done by some future KDC (though not very many that present
> >> KDC's do) -- but I can't think of any that are relevant to
> >> -localauth.
> Jeffrey> The AFS folks are thinking primarily about how AFS works
> Jeffrey> today in the legacy of kaserver and how can we easily
> Jeffrey> implement -localauth based upon that architecture.
> Jeffrey> Sam and Nico are considering other possibilities. For
> Jeffrey> one, there are uses for such an API for non-local auth
> Jeffrey> uses. Think of Love's forging of AFS user tokens by
> Jeffrey> Samba. This is not a local auth operation and it could
> Jeffrey> very well benefit from contact with the KDC.
> I'm explicitly trying to limit this API to localauth. Nico disagrees
> with that.
We can enforce the localauth case by how the client keytab is used.
More information about the krbdev