Anonymous pkinit and ticket policy
Sam Hartman
hartmans at MIT.EDU
Mon Nov 22 18:36:07 EST 2010
>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
Jeffrey> On 11/17/2010 6:58 PM, ghudson at mit.edu wrote:
>> Right now, if you enable anonymous pkinit (by creating the
>> WELLKNOWN/ANONYMOUS principal), the KDC will issue tickets with
>> the anonymous client principal and any service principal--same as
>> any other client principal.
>>
>> It is not unheard of for services to offer some level of access
>> to any user who can authenticate. The existence (real or
>> perceived) of such services may discourage people from using
>> anonymous pkinit for its major use cases--FAST armor and host
>> registration via anonymous kadmin. If you are an integrator
>> looking to simplify one of those use cases, you have caveats to
>> worry about.
Jeffrey> My perspective on this is that any service that is
Jeffrey> intentionally offering services to any authentication
Jeffrey> without examining the user principal name in any way is
Jeffrey> already providing an anonymous service. Therefore, there
Jeffrey> is no change in the behavior.
I'm certainly aware of services that offer service to all authenticated
users within a realm. However the things I'm aware of are either truly
public or examine the realm field. The realm WELLKNOWN:ANONYMOUS is by
definition not going to be the local realm.
So, as part of this discussion I'd like to hear about specific services
that are affected.
--Sam
More information about the krbdev
mailing list