RX Kerberos 5 security class requirements of Kerberos library

Nicolas Williams Nicolas.Williams at sun.com
Wed Jan 3 13:01:02 EST 2007

On Wed, Jan 03, 2007 at 12:46:40PM -0500, Jeffrey Altman wrote:
> Nicolas Williams wrote:
> >> This way the function can only be used for localauth and cannot be used
> >> to specify an
> >> arbitrary client name to the service whose key is in the service keytab.
> > 
> > Sorry, I find this lame.  And I still have yet to hear what is so wrong
> > with using OS facilities for local auth.
> Local auth does not necessarily mean single machine.

Good to know.

>                                                        Local auth can
> be used in the AFS case whenever the user executing the commands has
> the necessary read access to the keytab files.

I think TLS with self-signed certs is a better fit, protocol-wise, for
authentication of middle-ware to servers.  The Kerberos V AP exchange as
a PSK mechanism can work, but it has this wrinkle that the client
principal name cannot be ascertained (unless it is, or is coerced to be
the same as the service principal name); this may be seen as a feature,
since some consumers may want krb5 PSK initiators to be able to assert
any client principal.

In any case, I really dislike the idea that this API would check that
there is what appears to be a credential for the client principal name
being asserted -- either don't do that or go through the KDC and forget
about PSK.


More information about the krbdev mailing list