RX Kerberos 5 security class requirements of Kerberos library

Douglas E. Engert deengert at anl.gov
Wed Jan 3 11:28:09 EST 2007

Sam Hartman wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:

> I'd really appreciate feedback from those not involved in AFS either
> as users or developers on two issues. 

I am involved, but would like to answer your questions anyway.

> First, whether we should
> introduce AFS-specific functionality into Kerberos. 

I would say no. But this does not look like an AFS specific routine.

> Second on whether this is a desirable function to expose as a general 
 > function that is not AFS specific.

Yes. What is does allow is for an application to use Kerberos tickets 
internally but use a different authentication method. A KDC is not
required in this case.

> I'd appreciate input from the AFS community on what we can do if we
> decide that this functionality needs to be AFS specific to limit its
> general applicability.

I did not see any AFS specifics in the routine. Did I miss something?

   krb5_error_code KRB5_CALLCONV
       krb5_context context,
       krb5_keytab keytab,
       krb5_principal service,
       krb5_principal client,
       time_t starttime,
       time_t endtime,
       krb5_enctype *allowed_enctypes,
       krb5_address *address,
       krb5_creds** out_creds /* out */ )

As you point out in other notes, there is no way to add authz data,
and maybe there should be. But then this authz data is for the 
application itself, as it is issuing the ticket. You could add a
parameter for authz data.

Since the application already knows its own key, there is no way
with the present Kerberos protocol to stop an application developer
from writing their own version of this routine. And there is no
way to detect if the ticket was generated by a KDC or the application
itself, (or a hacker who has stolen the key and generated a ticket.)

> --Sam
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list