[16505] in Kerberos_V5_Development
Re: Anonymous pkinit and ticket policy
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Nov 22 18:36:20 2010
From: Sam Hartman <hartmans@mit.edu>
To: jaltman@secure-endpoints.com
Date: Mon, 22 Nov 2010 18:36:07 -0500
In-Reply-To: <4CEAEB00.9080206@secure-endpoints.com> (Jeffrey Altman's message
of "Mon, 22 Nov 2010 17:13:20 -0500")
Message-ID: <tsl1v6daq3c.fsf@carter-zimmerman.suchdamage.org>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Jeffrey" == Jeffrey Altman <jaltman@secure-endpoints.com> writes:
Jeffrey> On 11/17/2010 6:58 PM, ghudson@mit.edu wrote:
>> Right now, if you enable anonymous pkinit (by creating the
>> WELLKNOWN/ANONYMOUS principal), the KDC will issue tickets with
>> the anonymous client principal and any service principal--same as
>> any other client principal.
>>
>> It is not unheard of for services to offer some level of access
>> to any user who can authenticate. The existence (real or
>> perceived) of such services may discourage people from using
>> anonymous pkinit for its major use cases--FAST armor and host
>> registration via anonymous kadmin. If you are an integrator
>> looking to simplify one of those use cases, you have caveats to
>> worry about.
Jeffrey> My perspective on this is that any service that is
Jeffrey> intentionally offering services to any authentication
Jeffrey> without examining the user principal name in any way is
Jeffrey> already providing an anonymous service. Therefore, there
Jeffrey> is no change in the behavior.
I'm certainly aware of services that offer service to all authenticated
users within a realm. However the things I'm aware of are either truly
public or examine the realm field. The realm WELLKNOWN:ANONYMOUS is by
definition not going to be the local realm.
So, as part of this discussion I'd like to hear about specific services
that are affected.
--Sam
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
