[32277] in Kerberos
Re: URGENT - Kerberos : Authorization
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Apr 23 20:52:56 2010
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kerberos@mit.edu
Message-ID: <4BD22615.40109@secure-endpoints.com>
Date: Fri, 23 Apr 2010 23:58:29 +0100
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <B2A6809D68602941A1341092939DFCE1E9C504@ftrdmel0.rd.francetelecom.fr>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0199842925=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============0199842925==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms080804030802080107040007"
This is a cryptographically signed message in MIME format.
--------------ms080804030802080107040007
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 4/23/2010 2:48 PM, jacky.forestier@orange-ftgroup.com wrote:
> =20
> Hi All ,
> =20
> A question on the kerberos implementation ( Kerb v5-1.6) that we tested=
> and are using now in experimental studies: Does this kerberos version
> allow to distinguish between different users in terms of allowing to
> grant the TGS ticket for a certain service for certain users and
> refusing the TGS ticket grant for other users.
>
> In our opinion, this is something in the Kerberos logic, otherwise why
> do Kerberos distribute TGS tickets.
>
> But, in all our experiments, any client who obtains a TGT ticket (i.e.
> successfully authenticates) is granted the TGS ticket when he asked for=
> it. Given that we tested the Telnet Kerberised and FTP Kerberised
> services.=20
>
> I would like to know if some one could tell me about a certain
> configuration in Kerberos that allows for example user1 to have only a
> TGS for the FTP kerberised service (and not for the Telnet Kerberised
> service) and vice-versa for user2.
>
> We understood from the standard of Kerbers (RFC 4120) that the
> authorized data field might be concerned. Is there a certain
> configuration that we need to do for this field ?
>
> =20
>
> Thanks for you help
>
> Best Regards
>
> Jacky Forestier
A Kerberos KDC does not make authorization decisions. When using
Kerberos, authorization
decisions are made at the service after the client performs a successful
authentication.
Jeffrey Altman
--------------ms080804030802080107040007--
--===============0199842925==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0199842925==--
