Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR
jhutz at cmu.edu
Tue Jun 24 12:31:03 EDT 2008
--On Wednesday, June 18, 2008 04:54:04 PM -0400 Ken Raeburn
<raeburn at MIT.EDU> wrote:
> On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
>> I believe that the meaning of allow_tix should be altered such that
>> it only applies to the client
>> in a TGS or AS request. This would permit -allow_tix to be applied
>> to a service principal
>> and ensure that no client ticket requests can be satisfied for that
>> service principal while at
>> the same time permitting other principals to obtain service tickets.
>> Organizations that wish to disable the issuance of service tickets
>> for the service principal
>> would apply -allow_svr to the principal in addition to -allow_tix.
> I think it should be pointed out that such a change would allow
> tickets to start being issued where currently they would not when the
> KDC software gets updated -- even if the latter really was the intent
> of the realm administrator. Because of that, we might instead want to
> create a new flag with the semantics Jeff wants, and leave the
> existing flag with its current (suboptimal) behavior.
I don't consider the current behavior of -allow_tix to be suboptimal. Its
effect is to completely and totally disable a principal for all uses, which
is a desirable thing to be able to do from an administrative point of view,
separately from the ability to specify "this principal can only be used as
a client" (-allow_svr) or "this principal can only be used as a service
(the new flag Jeff is asking about).
Note that there is a justification for having -allow_svr without
-allow_clt. The former, when used with a policy requiring the use of
preauth, prevents an attacker from asking the KDC for ciphertext to be used
in a long-term attack against a principal's key. This is particularly
useful for principals belonging to human users, whose keys are often
derived from passwords with fairly low entropy. While -allow_clt may be a
useful policy for administrative purposes, it doesn't serve the same kind
of security goal.
More information about the krbdev