Anonymous pkinit and ticket policy

Sam Hartman hartmans at MIT.EDU
Mon Nov 22 18:36:07 EST 2010

>>>>> "Jeffrey" == Jeffrey Altman <jaltman at> writes:

    Jeffrey> On 11/17/2010 6:58 PM, ghudson at wrote:
    >> Right now, if you enable anonymous pkinit (by creating the
    >> WELLKNOWN/ANONYMOUS principal), the KDC will issue tickets with
    >> the anonymous client principal and any service principal--same as
    >> any other client principal.
    >> It is not unheard of for services to offer some level of access
    >> to any user who can authenticate.  The existence (real or
    >> perceived) of such services may discourage people from using
    >> anonymous pkinit for its major use cases--FAST armor and host
    >> registration via anonymous kadmin.  If you are an integrator
    >> looking to simplify one of those use cases, you have caveats to
    >> worry about.

    Jeffrey> My perspective on this is that any service that is
    Jeffrey> intentionally offering services to any authentication
    Jeffrey> without examining the user principal name in any way is
    Jeffrey> already providing an anonymous service.  Therefore, there
    Jeffrey> is no change in the behavior.

I'm certainly aware of services that offer service to all authenticated
users within a realm.  However the things I'm aware of are either truly
public or examine the realm field.  The realm WELLKNOWN:ANONYMOUS is by
definition not going to be the local realm.

So, as part of this discussion I'd like to hear about specific services
that are affected.


More information about the krbdev mailing list