[3588] in Kerberos
Passing authentication data within a Kerberos ticket
daemon@ATHENA.MIT.EDU (P V McMahon)
Thu Jul 21 12:06:52 1994
To: kerberos@MIT.EDU
Date: Thu, 21 Jul 1994 12:58:23 +0000
From: pvm@icle.demon.co.uk (P V McMahon)
Reply-To: p.v.mcmahon@rea0803.wins.icl.co.uk
> Path: icle.demon.co.uk!demon!pipex!howland.reston.ans.net!spool.mu.edu!bloom-beacon.mit.edu!pad-thai.aktis.com!INTERNET!dont-mail-to-path-lines
> From: sy42916@vantage.fmrco.com (Christopher King)os ticket
> Date: 18 Jul 1994 18:42:03 -0400
> Organization: comp.protocols.kerberos<->kerberos@mit.edu gateway
> I'm working for Fidelity Investments in
> Boston. We are developing a Client/Server architecture using Kerberos. I'm
> trying to get a service ticket, then using krb5_send_tgs stuff some authentication data (PAC) inside. My hope is I could send this data to the application service I'm requesting and once I check the idenity take out the authorization data an perform at authorization check. >
>
> Will krb5_send_tgs take some authorization data, encrypt it inside the ticket?
>
> Chris King (617-563-8894)
Chris,
krb5_send_tgs won't encrypt data inside the ticket, but will send
encrypted required authorisation data to the server. The RFC1510
pseudocode for the KDC processing of KRB_TGS_REQ indicates
that the authorisation data requested by the user is copied through
together with the authorisation data from the authentication header
(if any). The v5b2 KDC appears to implement this in process_tgs_req in
do_tgs_req.c.
This could lead to a model which supported user-asserted access
rights - which may not be what you have in mind :-).
In our implementation (SESAME) the privilege attribute server
decides what privileges are permitted. We use a registered padata
to send a request for privileges (for which we have used krb5_send_tgs)
which gets adjudicated by the privilege server. The privileges
get sent back in a signed PAC linked to the authorisation data
field in the returned ticket.
We don't use the user-requested authorisation data facility, but any
user-requested part in the authorisation data follows the PAC
reference and is only to be trusted as far as you trust the user ...
Regards,
Piers
---
P V McMahon
email: p.v.mcmahon@rea0803.wins.icl.co.uk
voice: +44-734-634882
