[467] in Kerberos_Protocol

home help back first fref pref prev next nref lref last post

Re: Ticket extensions in Kerberos revisions

daemon@ATHENA.MIT.EDU (Ken Hornstein)
Wed May 3 15:29:13 2000

Message-Id: <200005031814.OAA25915@ginger.cmf.nrl.navy.mil>
To: Nicolas Williams <willian@ubsw.com>
Cc: cat-ietf@MIT.EDU, krb-protocol@MIT.EDU
In-Reply-To: Your message of "Tue, 02 May 2000 16:09:20 EDT."
             <20000502160918.M1094@sm2p1386swk.wdr.com> 
Date: Wed, 03 May 2000 14:14:40 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>The second signature, the one signed with the KDC's key, is there so
>that non-system services (services that don't have local priviledges to
>start with, i.e., services which "don't run as root") can ask the OS to
>let them assume the credentials of the remote user. In such cases the OS
>has to check a PAC signature that the service itself couldn't fake.

Maybe this is a MS thing - but explain to me again why the non-system service
needs the ability to become the remote user?

--Ken

home help back first fref pref prev next nref lref last post