[30851] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Loren M. Lang)
Tue Mar 10 15:43:49 2009
From: "Loren M. Lang" <lorenl@alzatex.com>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87y6vfu6n6.fsf@windlord.stanford.edu>
Date: Mon, 09 Mar 2009 16:21:41 -0700
Message-Id: <1236640901.30350.23841.camel@ruth.aloha.tallye.com>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============0942136795=="
Errors-To: kerberos-bounces@mit.edu
--===============0942136795==
Content-Type: multipart/signed; micalg="sha1";
protocol="application/x-pkcs7-signature";
boundary="=-tYK8go5wKTMWPT0t0LIm"
--=-tYK8go5wKTMWPT0t0LIm
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Sun, 2009-03-08 at 13:00 -0700, Russ Allbery wrote:
> Mikkel Kruse Johnsen <mikkel@linet.dk> writes:
>=20
> > Firefox: Type "about:config" in the Location bar. Type "nego" in the
> > filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> > "network.negotiate-auth.trusted-uris" and type in your domain name (in
> > my example I have "cbs.dk" in both)
>=20
> Be aware that doing this will cause your browser to promiscuously send
> your credentials to every server in that domain with a valid HTTP/*
> principal in your KDC and allow that server to impersonate you to any
> other service. This may be what you want to do, but it's worth thinking
> carefully about the implications before you do it.
>=20
> For example, if you're an educational site that allows students to obtain
> HTTP/* principals for their own systems, you *don't* want to do this.
Isn't a feature of Kerberos to be able to limit the powers that one
delegates using proxiable tickets? If I understand correctly, it should
be possible to delegate for the server to impersonate you only to the
LDAP service on host ldap.example.com instead of forwarding your krbtgt.
>=20
--=20
Loren M. Lang
lorenl@alzatex.com
http://www.alzatex.com/
--=-tYK8go5wKTMWPT0t0LIm
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJBzCCAt4w
ggJHoAMCAQICEGs8dXWk8UfWKNPMqkRUZQ0wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMxNTAyMDk1MloXDTA5MDMxNTAyMDk1
MlowRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSbG9y
ZW5sQGFsemF0ZXguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArg7jrlMviJJg
aLe7oWY8SgpdWAPMrZZDzPovswQAEYp/TIosk2aLaKuvsitl9sYBknKh7Q+X7052fN8VKF0mehrr
S9K5gWzSQjYPhHUyhSkrMa98KDIrPNID7B2ggbUBaEEuv4ow+fi0EoTvGrtej2RhOeQBVU0irEmZ
Xpj8qHrseHIXLyUM1nJ6V+GNcCUZaDszSm2JJKXd66ueWI6H0EdNtElNBxFNEztYIgVEMRZWlRjS
iEFKMjduclP+V2Q1m9/iCBVuuXPlWorxuh/hZeCdeXC+aKI3ZVXzXBHrY6tfKpA0Wrk/+0pDstY1
Mce4UKxC39uucWmVqBSUN/GLJwIDAQABoy8wLTAdBgNVHREEFjAUgRJsb3JlbmxAYWx6YXRleC5j
b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBWTYARSP6JuuHFKpeU9INxR37xEBSa
bY/5OuTcj9DNpeSeHA3It5Y1brv3FZDbtnmyuoWo+pUyhzm/HkTFNwvbltRq5G1p3f3h3jokEDcl
44nGZU0jbskkZxQOaerG1QhInOW722uaCAPWzxQmvlOgAb0UdmbZhXUcL+Xr8/IiFTCCAt4wggJH
oAMCAQICEGs8dXWk8UfWKNPMqkRUZQ0wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAj
BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMxNTAyMDk1MloXDTA5MDMxNTAyMDk1Mlow
RDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSbG9yZW5s
QGFsemF0ZXguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArg7jrlMviJJgaLe7
oWY8SgpdWAPMrZZDzPovswQAEYp/TIosk2aLaKuvsitl9sYBknKh7Q+X7052fN8VKF0mehrrS9K5
gWzSQjYPhHUyhSkrMa98KDIrPNID7B2ggbUBaEEuv4ow+fi0EoTvGrtej2RhOeQBVU0irEmZXpj8
qHrseHIXLyUM1nJ6V+GNcCUZaDszSm2JJKXd66ueWI6H0EdNtElNBxFNEztYIgVEMRZWlRjSiEFK
MjduclP+V2Q1m9/iCBVuuXPlWorxuh/hZeCdeXC+aKI3ZVXzXBHrY6tfKpA0Wrk/+0pDstY1Mce4
UKxC39uucWmVqBSUN/GLJwIDAQABoy8wLTAdBgNVHREEFjAUgRJsb3JlbmxAYWx6YXRleC5jb20w
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBWTYARSP6JuuHFKpeU9INxR37xEBSabY/5
OuTcj9DNpeSeHA3It5Y1brv3FZDbtnmyuoWo+pUyhzm/HkTFNwvbltRq5G1p3f3h3jokEDcl44nG
ZU0jbskkZxQOaerG1QhInOW722uaCAPWzxQmvlOgAb0UdmbZhXUcL+Xr8/IiFTCCAz8wggKooAMC
AQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3Rl
LmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqq
P3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSG
Mmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZI
hvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw
PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTl
EBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggMQMIIDDAIBATB2MGIxCzAJBgNVBAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQazx1daTxR9Yo08yqRFRlDTAJBgUrDgMCGgUAoIIB
bzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wOTAzMDkyMzIxNDFa
MCMGCSqGSIb3DQEJBDEWBBTWVF9+u8pO3Hz1mxQehycGV0tL8TCBhQYJKwYBBAGCNxAEMXgwdjBi
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEGs8dXWk8UfWKNPMqkRU
ZQ0wgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENv
bnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz
c3VpbmcgQ0ECEGs8dXWk8UfWKNPMqkRUZQ0wDQYJKoZIhvcNAQEBBQAEggEAjn5LywzVQfc74M+k
k+XGYBzvP3IVHAPTDQsEpiliwml4GI1iK9BjybcVBc6qFT/WnnIgIC16PyDb3XnbE9U8Hl52l4yO
YmWWNkTBFumewU9/t03422MMpV3WmDX4ToffXKhF0S77M0hJmLVWXmbTFixXOByJwUWxjsQFEl0n
h3iLiAMyhezIHYLxJb1M68dV14oNka0bKbGzVQRvhrUNs/P1fsu6trpvX/FnLVG1n8gfM9lftHq/
mjM+esAhd3HeUYr42ke1BqW6Ehp2s+eSe6DiYVE4kiCx2FU3raty2MdcD225Rxy+0GvvZw76HERY
qRUirKN9Fz1u5oJAkV5YnAAAAAAAAA==
--=-tYK8go5wKTMWPT0t0LIm--
--===============0942136795==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0942136795==--
