flags for allowing tix
elric at imrryr.org
Wed May 21 01:00:29 EDT 2008
I've noticed that in the MIT kdc there are a number of flags for
enabling and disabling the issuance of tickets in various circumstances.
My thoughts on the topic began when I decided that I'd like a flag
on a principal to disable AS_REQs _from_ that princ. This would
make sense if you know that a principal will solely be used as a
service and would never AS_REQ.
I had a quick look at the flags defined for these requests supported
by the MIT kdc and it seems that their definitions are not terribly
orthogonal which strikes me as being a tad inelegant. For example,
-allow_tix will disable tickets to and from a principal. -allow_svr
will disallow TGS_REQs or AS_REQs to a principal. -allow_tgs_req
disallows TGS_REQs to a principal.
-allow_tgs_req is contained in -allow_svr which is contained in
AS_REQ from for TGS_REQ from for
allow_tix x x x
allow_svr x x
Or something close to it is the current state.
Maybe it would make sense to come up with a more expressive syntax
which allows any possible combination and regards the existing
flags as synonyms for groups of flags?
Or perhaps just add -allow_as_req_from which would turn off AS_REQs
from the principal in question?
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the krbdev