Patch to ignore service principals when accepting connexions.
hartmans at painless-security.com
Wed Aug 25 17:45:17 EDT 2010
My initial reaction to this patch is negative, particularly to exposing
an environment variable for this behavior change. In general, if an
application is going to use GSS_C_NO_CREDENTIAL, it needs to examine the
service name that was accepted and make an authorization decision.
Changing the behavior of applications under the covers seems like it is
likely to introduce authorization problems. Yes, you can be very
careful about what principals you make available, but this still seems
However, I do understand the concern.
We introduced a behavior change in 1.7 so that application no longer
examine the service name encoded in a ticket; instead, they look at
whether the key matches. This means that you can have KDC-side aliases
either by setting principals to have the same key or by using actual
aliases (as we support with the LDAP backend). In that environment, you
would have one key in your keytab, but the KDC would issue tickets with
that key for multiple principal names. The KDC configuration is the
layer at which authorization happens;any name that has the key in the
service keytab is authorized.
I think it would be valuable to work through how complicated this would
be from an administrative standpoint and see if we can make that work to
meet people's needs. If we can't then we should closely look at some
option along the lines you propose.
More information about the krbdev