RX Kerberos 5 security class requirements of Kerberos library
Douglas E. Engert
deengert at anl.gov
Wed Jan 3 11:28:09 EST 2007
Sam Hartman wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
>
> I'd really appreciate feedback from those not involved in AFS either
> as users or developers on two issues.
I am involved, but would like to answer your questions anyway.
> First, whether we should
> introduce AFS-specific functionality into Kerberos.
I would say no. But this does not look like an AFS specific routine.
> Second on whether this is a desirable function to expose as a general
> function that is not AFS specific.
Yes. What is does allow is for an application to use Kerberos tickets
internally but use a different authentication method. A KDC is not
required in this case.
>
> I'd appreciate input from the AFS community on what we can do if we
> decide that this functionality needs to be AFS specific to limit its
> general applicability.
I did not see any AFS specifics in the routine. Did I miss something?
krb5_error_code KRB5_CALLCONV
krb5_generate_creds_with_keytab(
krb5_context context,
krb5_keytab keytab,
krb5_principal service,
krb5_principal client,
time_t starttime,
time_t endtime,
krb5_enctype *allowed_enctypes,
krb5_address *address,
krb5_creds** out_creds /* out */ )
As you point out in other notes, there is no way to add authz data,
and maybe there should be. But then this authz data is for the
application itself, as it is issuing the ticket. You could add a
parameter for authz data.
Since the application already knows its own key, there is no way
with the present Kerberos protocol to stop an application developer
from writing their own version of this routine. And there is no
way to detect if the ticket was generated by a KDC or the application
itself, (or a hacker who has stolen the key and generated a ticket.)
>
> --Sam
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list