flags for allowing tix

Roland Dowdeswell elric at imrryr.org
Wed May 21 11:59:30 EDT 2008

On 1211347101 seconds since the Beginning of the UNIX epoch
Tom Yu wrote:

>Roland Dowdeswell <elric at imrryr.org> writes:
>> I've noticed that in the MIT kdc there are a number of flags for
>> enabling and disabling the issuance of tickets in various circumstances.
>> My thoughts on the topic began when I decided that I'd like a flag
>> on a principal to disable AS_REQs _from_ that princ.  This would
>> make sense if you know that a principal will solely be used as a
>> service and would never AS_REQ.
>Could you please elaborate on the situations where you might want to
>impose this restriction on a (service) principal?  Keep in mind that
>the principal will not be able to change its own key as long as that
>flag is set.

We do not let services manage their own keys.  We have an infrastructure
in place to do this for us.

I would like to impose this restriction to improve security and
control the environment in a more granular fashion.  That is, if
I know in advance that a service will not be making AS_REQs then
it seems that it would be good form to prevent it.  I have seen
badly Kerberised applications such as uw-imap which blindly chop
realms off Kerberos principals in order to compare them to usernames.
I can easily imagine that some applications might just chop the
instance off as well.  Granted, these applications should be fixed.
But I would also like to be able to reduce the exposure by ensuring
that tickets are not granted if they are not required.

>I will grant that the non-orthogonality of the flags looks inelegant.
>I also think that any attempt to make this set of flags more
>orthogonal should also consider requests for user-to-user tickets.


    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

More information about the krbdev mailing list