flags for allowing tix
Roland Dowdeswell
elric at imrryr.org
Wed May 21 11:59:30 EDT 2008
On 1211347101 seconds since the Beginning of the UNIX epoch
Tom Yu wrote:
>
>Roland Dowdeswell <elric at imrryr.org> writes:
>
>> I've noticed that in the MIT kdc there are a number of flags for
>> enabling and disabling the issuance of tickets in various circumstances.
>> My thoughts on the topic began when I decided that I'd like a flag
>> on a principal to disable AS_REQs _from_ that princ. This would
>> make sense if you know that a principal will solely be used as a
>> service and would never AS_REQ.
>
>Could you please elaborate on the situations where you might want to
>impose this restriction on a (service) principal? Keep in mind that
>the principal will not be able to change its own key as long as that
>flag is set.
We do not let services manage their own keys. We have an infrastructure
in place to do this for us.
I would like to impose this restriction to improve security and
control the environment in a more granular fashion. That is, if
I know in advance that a service will not be making AS_REQs then
it seems that it would be good form to prevent it. I have seen
badly Kerberised applications such as uw-imap which blindly chop
realms off Kerberos principals in order to compare them to usernames.
I can easily imagine that some applications might just chop the
instance off as well. Granted, these applications should be fixed.
But I would also like to be able to reduce the exposure by ensuring
that tickets are not granted if they are not required.
>I will grant that the non-orthogonality of the flags looks inelegant.
>I also think that any attempt to make this set of flags more
>orthogonal should also consider requests for user-to-user tickets.
Yes.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the krbdev
mailing list