Douglas E. Engert deengert at anl.gov
Fri May 9 14:16:44 EDT 2008

Paul Moore wrote:
> The GSS layer should enforce the obedience of this flag. In the current
> MIT gss code it does not. This is very bad (we have reported this
> before). The KDC has set a flag saying 'don't forward this' and yet the
> MIT client code forwards it anyway. We offered a fix (we have it in
> place already) but were told 'no thanks'.

"Enforce" is probable the wrong word to use here. From a Kerberos
prospective the flag is only advisory. The client can ignore the bit,
and forward a TGT if it wants too. The KDC has no control over the

That said, the client should take the advice of the KDC and not forward.

  I suspect that the reason the
> client side code ignores it is because the MIT KDC never sets it and so
> nobody in MIT has paid much attention to it. MS AD KDC uses it all the
> time. In fact AD's default mode is to set 'do not forward '

Well, the OK-TO-DELAGATE was a MS thing, so MS implemented it first.
I do agree that it would be a good feature to have, as it can help prevent
rough user-administrated computers from pretending they are servers.

It would also make it easier to allow user to self register computers
as there is less chance that the computer could steal forwarded tickets
if other clients took the advice of the KDC and not forwarded tickets
to these self registered computers.

> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
> Of Simo Sorce
> Sent: Thursday, May 08, 2008 12:11 PM
> To: Henry B. Hotz
> Cc: krbdev at mit.edu
> Subject: RE: OK-AS-DELEGATE FLAG setting.
> On Thu, 2008-05-08 at 10:08 -0700, Henry B. Hotz wrote:
>> On May 8, 2008, at 9:16 AM, krbdev-request at mit.edu wrote:
>>> Message: 3
>>> Date: Wed, 07 May 2008 16:23:27 -0400
>>> From: Simo Sorce <ssorce at redhat.com>
>>> Subject: RE: OK-AS-DELEGATE FLAG setting.
>>> To: JC Ferguson <jc at F5.com>
>>> Cc: Ken Raeburn <raeburn at mit.edu>, krbdev at mit.edu,	"Douglas E.
> Engert"
>>> 	<deengert at anl.gov>
>>> Message-ID: <1210191807.32052.44.camel at localhost.localdomain>
>>> Content-Type: text/plain
>>> On Wed, 2008-05-07 at 12:37 -0400, JC Ferguson wrote:
>>>> FWIW: microsoft sets this when a principal is "trusted for 
>>>> delegation"
>>>> in Active Directory.  When a microsoft client is connecting to a 
>>>> CIFS-based service and the OK_AS_DELEGATE flag is set, the 
>>>> microsoft client fetches a forwardable TGT and wraps that up in the
>>>> authentication material along with the service ticket.
>>> It would be very useful to have a flag like that to mark trusted 
>>> services.
>>> Being able to forward TGTs is very useful in some cases, but the 
>>> downside is that then you end up forwarding it just to everybody.
>>> Being
>>> able to say, at the KDC level, whom the client should fully trust or
>>> not would be a major improvement.
>>> Simo.
>> I hope I don't need to say this to this crowd, but I will anyway.
>> This flag does *not* actually aid security.  This is an advisory flag.
>> There is nothing that requires the clients to respect it.  In fact (as
>> this discussion demonstrates) everything works just fine if clients 
>> forward tgt's regardless of the flag setting.  This means in turn that
>> there is nothing that prevents evil servers from making use of such a 
>> forwarded tgt.
>> Unless things have changed in the last 6 months or so, neither 
>> Firefox, nor Safari pay any attention to the flag.  Only IE, AFAIK.
> This is understood, but once we have the flag from the KDC we can start
> doing that, at least the client will have a way to know what it should
> do. Currently you would have to manually configure the list of trusted
> services per application, not something that scale in any reasonable use
> case.
> Also being able to enforce respect of such flag in the kerberos/gssapi
> libraries would be a big advantage, but I am not sure that is always
> possible/wanted.
> Simo.
> --
> Simo Sorce * Red Hat, Inc * New York
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list