Anonymous pkinit and ticket policy

Wed Nov 17 18:58:24 EST 2010

Right now, if you enable anonymous pkinit (by creating the
WELLKNOWN/ANONYMOUS principal), the KDC will issue tickets with the
anonymous client principal and any service principal--same as any
other client principal.

It is not unheard of for services to offer some level of access to any
user who can authenticate.  The existence (real or perceived) of such
services may discourage people from using anonymous pkinit for its
major use cases--FAST armor and host registration via anonymous
kadmin.  If you are an integrator looking to simplify one of those use
cases, you have caveats to worry about.

I'm interested in hearing people's thoughts on solutions for this
problem.  Solutions can fit into one of three scopes:

* Solve the specific problem: create a boolean realm flag
  (e.g. restrict_anonymous) which restricts the service principal of
  anonymous tickets to krbtgt or kadmin/*.

* Solve a more general problem: somehow represent the map {principal}
  -> boolean determining which service principals the anonymous
  principal is allowed to get tickets for.  Specific options include:

  - A principal flag defaulting to "anonymous allowed".
  - A principal flag defaulting to "anonymous not allowed".
  - Allow/deny lists represented in the KDC's profile, with or without
    wildcard support.

* Solve an even more general problem: somehow represent the map
  {cprinc, sprinc} -> boolean determining which client/server
  combinations the KDC will issue tickets for.

Note that there are two kinds of anonymous principals: fully anonymous
and realm-exposed.  Right now our KDC only supports fully anonymous.

Pluggability is part of the full solution space (right now AS and TGS
request policies are pluggable through the DAL, but we could add a KDC
policy plugin to make policies pluggable separately from the KDB), but
we do need a solution which is not contingent upon writing plugins.