[39455] in Kerberos
Re: Why do "strict acceptor checking"?
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Tue Oct 8 09:43:37 2024
Message-Id: <202410081342.498DgtxB017212@hedwig.cmf.nrl.navy.mil>
To: "Roland C. Dowdeswell" <elric@imrryr.org>
cc: kerberos@mit.edu
In-Reply-To: <6eex7zf7qp5sid5z6kzeqg762fs5acmo3jz7lbiwinmapayyy3@4sr7binjgjrq>
MIME-Version: 1.0
Date: Tue, 08 Oct 2024 09:42:55 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>> However, this has made me wonder: why do this at all? What is the
>> possible security gain here? It's not the default in the code; you have
>> to explicitly write code to enable this behavior. But I can't really
>> think of a case where NOT having strict acceptor checking is a security
>> problem; I could maybe squint and envision some kind of weird hosted
>> server setup where it might matter, but I'm not sure that is ever done
>> in the real world. I will admit it is entirely possible I am missing
>> something; if I am, I'd sure like to understand what I am missing.
>
>I have always operated under the theory that one should make sure that
>the keytab accepts exactly the set of principals that are required.
>This is something that is under the ultimate control of the system
>administrator. When an application turns on strict acceptor checking,
>they remove this configrability from the system administrator which I
>think makes the system much less flexible.
I'm completely with you, but clearly plenty of application writers do not
agree with this sentiment! So I'm wondering what I am missing.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos