OK-AS-DELEGATE FLAG setting.

Nebergall, Christopher cneberg at sandia.gov
Thu May 8 13:49:39 EDT 2008 

>>Unless things have changed in the last 6 months or so, neither Firefox, nor Safari pay any attention to the flag.  Only IE, AFAIK.

The problem is that there is no way of doing it only using GSSAPI calls. If there were, it would be no problem to add to Firefox.  For example the SSPI in windows takes care of it transparently.  So if you are using Firefox on windows using the SSPI just configure Firefox to delegate to everything, and the SSPI will restrict it automatically.

This discussion came up a while back.
http://mailman.mit.edu/pipermail/krbdev/2006-March/004180.html

-Christopher
-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Henry B. Hotz
Sent: Thursday, May 08, 2008 11:09 AM
To: krbdev at mit.edu
Subject: RE: OK-AS-DELEGATE FLAG setting.


On May 8, 2008, at 9:16 AM, krbdev-request at mit.edu wrote:

> Message: 3
> Date: Wed, 07 May 2008 16:23:27 -0400
> From: Simo Sorce <ssorce at redhat.com>
> Subject: RE: OK-AS-DELEGATE FLAG setting.
> To: JC Ferguson <jc at F5.com>
> Cc: Ken Raeburn <raeburn at mit.edu>, krbdev at mit.edu,    "Douglas E. Engert"
>       <deengert at anl.gov>
> Message-ID: <1210191807.32052.44.camel at localhost.localdomain>
> Content-Type: text/plain
>
> On Wed, 2008-05-07 at 12:37 -0400, JC Ferguson wrote:
>> FWIW: microsoft sets this when a principal is "trusted for
>> delegation"
>> in Active Directory.  When a microsoft client is connecting to a
>> CIFS-based service and the OK_AS_DELEGATE flag is set, the microsoft
>> client fetches a forwardable TGT and wraps that up in the
>> authentication material along with the service ticket.
>
> It would be very useful to have a flag like that to mark trusted
> services.
> Being able to forward TGTs is very useful in some cases, but the
> downside is that then you end up forwarding it just to everybody.
> Being
> able to say, at the KDC level, whom the client should fully trust or
> not would be a major improvement.
>
> Simo.

I hope I don't need to say this to this crowd, but I will anyway.

This flag does *not* actually aid security.  This is an advisory flag.  There is nothing that requires the clients to respect it.  In fact (as this discussion demonstrates) everything works just fine if clients forward tgt's regardless of the flag setting.  This means in turn that there is nothing that prevents evil servers from making use of such a forwarded tgt.

Unless things have changed in the last 6 months or so, neither Firefox, nor Safari pay any attention to the flag.  Only IE, AFAIK.

------------------------------------------------------
The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu



_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list