OK-AS-DELEGATE FLAG setting.

[Henry B. Hotz]

On May 8, 2008, at 9:16 AM, krbdev-request at mit.edu wrote:

> Message: 3
> Date: Wed, 07 May 2008 16:23:27 -0400
> From: Simo Sorce <ssorce at redhat.com>
> Subject: RE: OK-AS-DELEGATE FLAG setting.
> To: JC Ferguson <jc at F5.com>
> Cc: Ken Raeburn <raeburn at mit.edu>, krbdev at mit.edu,	"Douglas E. Engert"
> 	<deengert at anl.gov>
> Message-ID: <1210191807.32052.44.camel at localhost.localdomain>
> Content-Type: text/plain
>
> On Wed, 2008-05-07 at 12:37 -0400, JC Ferguson wrote:
>> FWIW: microsoft sets this when a principal is "trusted for  
>> delegation"
>> in Active Directory.  When a microsoft client is connecting to a
>> CIFS-based service and the OK_AS_DELEGATE flag is set, the microsoft
>> client fetches a forwardable TGT and wraps that up in the  
>> authentication
>> material along with the service ticket.
>
> It would be very useful to have a flag like that to mark trusted
> services.
> Being able to forward TGTs is very useful in some cases, but the
> downside is that then you end up forwarding it just to everybody.  
> Being
> able to say, at the KDC level, whom the client should fully trust or  
> not
> would be a major improvement.
>
> Simo.

I hope I don't need to say this to this crowd, but I will anyway.

This flag does *not* actually aid security.  This is an advisory  
flag.  There is nothing that requires the clients to respect it.  In  
fact (as this discussion demonstrates) everything works just fine if  
clients forward tgt's regardless of the flag setting.  This means in  
turn that there is nothing that prevents evil servers from making use  
of such a forwarded tgt.

Unless things have changed in the last 6 months or so, neither  
Firefox, nor Safari pay any attention to the flag.  Only IE, AFAIK.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu