|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Tue, 24 Jun 2008 12:31:03 -0400 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Ken Raeburn <raeburn@mit.edu>, Kerberos mailing list list <kerberos@mit.edu>, "krbdev@mit.edu List" <krbdev@mit.edu> Message-ID: <2750DB3DE540171113F09501@sirius.fac.cs.cmu.edu> In-Reply-To: <200806182059.m5IKxYLQ028542@toasties.srv.cs.cmu.edu> MIME-Version: 1.0 Content-Disposition: inline Cc: jhutz@cmu.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu --On Wednesday, June 18, 2008 04:54:04 PM -0400 Ken Raeburn <raeburn@MIT.EDU> wrote: > On Jun 18, 2008, at 16:33, Jeffrey Altman wrote: >> I believe that the meaning of allow_tix should be altered such that >> it only applies to the client >> in a TGS or AS request. This would permit -allow_tix to be applied >> to a service principal >> and ensure that no client ticket requests can be satisfied for that >> service principal while at >> the same time permitting other principals to obtain service tickets. >> Organizations that wish to disable the issuance of service tickets >> for the service principal >> would apply -allow_svr to the principal in addition to -allow_tix. > > I think it should be pointed out that such a change would allow > tickets to start being issued where currently they would not when the > KDC software gets updated -- even if the latter really was the intent > of the realm administrator. Because of that, we might instead want to > create a new flag with the semantics Jeff wants, and leave the > existing flag with its current (suboptimal) behavior. I don't consider the current behavior of -allow_tix to be suboptimal. Its effect is to completely and totally disable a principal for all uses, which is a desirable thing to be able to do from an administrative point of view, separately from the ability to specify "this principal can only be used as a client" (-allow_svr) or "this principal can only be used as a service (the new flag Jeff is asking about). Note that there is a justification for having -allow_svr without -allow_clt. The former, when used with a policy requiring the use of preauth, prevents an attacker from asking the KDC for ciphertext to be used in a long-term attack against a principal's key. This is particularly useful for principals belonging to human users, whose keys are often derived from passwords with fairly low entropy. While -allow_clt may be a useful policy for administrative purposes, it doesn't serve the same kind of security goal. -- Jeff ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |