[32279] in Kerberos
Re: URGENT - Kerberos : Authorization
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Fri Apr 23 20:53:27 2010
Message-ID: <4BD220BF.4040806@kickflop.net>
Date: Fri, 23 Apr 2010 18:35:43 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: jacky.forestier@orange-ftgroup.com
In-Reply-To: <B2A6809D68602941A1341092939DFCE1E9C504@ftrdmel0.rd.francetelecom.fr>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
What you're describing, as I read it, is authorization.
Kerberos is an authentication service.
If you would like to *authorize* certain users to
use an FTP service, I believe you should be looking
outside of Kerberos for that functionality.
On 4/23/2010 9:48 AM, jacky.forestier@orange-ftgroup.com wrote:
>
> Hi All ,
>
> A question on the kerberos implementation ( Kerb v5-1.6) that we tested
> and are using now in experimental studies: Does this kerberos version
> allow to distinguish between different users in terms of allowing to
> grant the TGS ticket for a certain service for certain users and
> refusing the TGS ticket grant for other users.
>
> In our opinion, this is something in the Kerberos logic, otherwise why
> do Kerberos distribute TGS tickets.
>
> But, in all our experiments, any client who obtains a TGT ticket (i.e.
> successfully authenticates) is granted the TGS ticket when he asked for
> it. Given that we tested the Telnet Kerberised and FTP Kerberised
> services.
>
> I would like to know if some one could tell me about a certain
> configuration in Kerberos that allows for example user1 to have only a
> TGS for the FTP kerberised service (and not for the Telnet Kerberised
> service) and vice-versa for user2.
>
> We understood from the standard of Kerbers (RFC 4120) that the
> authorized data field might be concerned. Is there a certain
> configuration that we need to do for this field ?
>
>
>
> Thanks for you help
>
> Best Regards
>
> Jacky Forestier
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
