OK-AS-DELEGATE FLAG setting.
Henry B. Hotz
hotz at jpl.nasa.gov
Thu May 8 13:08:36 EDT 2008
On May 8, 2008, at 9:16 AM, krbdev-request at mit.edu wrote:
> Message: 3
> Date: Wed, 07 May 2008 16:23:27 -0400
> From: Simo Sorce <ssorce at redhat.com>
> Subject: RE: OK-AS-DELEGATE FLAG setting.
> To: JC Ferguson <jc at F5.com>
> Cc: Ken Raeburn <raeburn at mit.edu>, krbdev at mit.edu, "Douglas E. Engert"
> <deengert at anl.gov>
> Message-ID: <1210191807.32052.44.camel at localhost.localdomain>
> Content-Type: text/plain
> On Wed, 2008-05-07 at 12:37 -0400, JC Ferguson wrote:
>> FWIW: microsoft sets this when a principal is "trusted for
>> in Active Directory. When a microsoft client is connecting to a
>> CIFS-based service and the OK_AS_DELEGATE flag is set, the microsoft
>> client fetches a forwardable TGT and wraps that up in the
>> material along with the service ticket.
> It would be very useful to have a flag like that to mark trusted
> Being able to forward TGTs is very useful in some cases, but the
> downside is that then you end up forwarding it just to everybody.
> able to say, at the KDC level, whom the client should fully trust or
> would be a major improvement.
I hope I don't need to say this to this crowd, but I will anyway.
This flag does *not* actually aid security. This is an advisory
flag. There is nothing that requires the clients to respect it. In
fact (as this discussion demonstrates) everything works just fine if
clients forward tgt's regardless of the flag setting. This means in
turn that there is nothing that prevents evil servers from making use
of such a forwarded tgt.
Unless things have changed in the last 6 months or so, neither
Firefox, nor Safari pay any attention to the flag. Only IE, AFAIK.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev