[16504] in Kerberos_V5_Development
Re: Anonymous pkinit and ticket policy
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Mon Nov 22 17:13:28 2010
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: krbdev@mit.edu
Message-ID: <4CEAEB00.9080206@secure-endpoints.com>
Date: Mon, 22 Nov 2010 17:13:20 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <201011172358.oAHNwO0S009472@outgoing.mit.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0389940033=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0389940033==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig6F5809E3005A285D56539163"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6F5809E3005A285D56539163
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 11/17/2010 6:58 PM, ghudson@mit.edu wrote:
> Right now, if you enable anonymous pkinit (by creating the
> WELLKNOWN/ANONYMOUS principal), the KDC will issue tickets with the
> anonymous client principal and any service principal--same as any
> other client principal.
>=20
> It is not unheard of for services to offer some level of access to any
> user who can authenticate. The existence (real or perceived) of such
> services may discourage people from using anonymous pkinit for its
> major use cases--FAST armor and host registration via anonymous
> kadmin. If you are an integrator looking to simplify one of those use
> cases, you have caveats to worry about.
My perspective on this is that any service that is intentionally
offering services to any authentication without examining the
user principal name in any way is already providing an anonymous
service. Therefore, there is no change in the behavior.
If the service is in fact checking the user principal name, then
the WELLKNOWN/ANONYMOUS principal is highly unlikely to
conflict. However, in the case that it might conflict or that a
site would prefer not to offer anonymous functionality, then the
Kerberos profile should offer an option to disable anonymous support
within a realm even if WELLKNOWN/ANONYMOUS@REALM exists.
Jeffrey Altman
--------------enig6F5809E3005A285D56539163
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJM6usCAAoJENxm1CNJffh4IcYIAK/l+M+SCRZlgtbQEHQALjUb
GG1S3u/8D4ffN10C9r+1ZDX8O6g/s173NO9O1q0cyurQvnA1R9kzWEZDmC8K9vaP
Y4NixEFxCs9Ghp2Ts2y6otgUS+lNfDcXermJeqmwnQ+gjyBtwTwi5ih0mObkk4w5
jrwf63sNAxSFfbFv26L4dyBibS2BhclVYI3F0u41Dzt2LHo6yympUw8hW3jjC8YB
+cwUtZNsbReAwtQGnYamSnPs3t9dfnEbVrvX64QnN0g8NQUdTEZPTL06L72HcSr7
cIxujcLhqdo22n8i5HhmaJYj5n+Qb5kjCXkNwAQoYhJ7uzN0KOMuQandHLz8AJE=
=uloe
-----END PGP SIGNATURE-----
--------------enig6F5809E3005A285D56539163--
--===============0389940033==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============0389940033==--
