[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization

To: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
Subject: Re: Authorization
From: Brian May <bmay@csse.monash.edu.au>
Date: 25 Nov 1999 14:34:07 +1100
Cc: heimdal-discuss@sics.se
In-Reply-To: "Brandon S. Allbery KF8NH"'s message of "Wed, 24 Nov 1999 22:25:07 -0500"
References: <199911250325.WAA11224@rushlight.kf8nh.apk.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) XEmacs/20.4 (Emerald)

>>>>> "Brandon" == Brandon S Allbery KF8NH <allbery@kf8nh.apk.net> writes:

    Brandon> Authentication: "this user is who s/he claims to be"
    Brandon> Authorization: "this user is permitted to do these
    Brandon> things"

    Brandon> Kerberos only provides the former (well, barring the
    Brandon> w2kproblem "extensions").  You want to have the latter as
    Brandon> well as the former, unless you really want every
    Brandon> principal in your KDC to have administrative access to
    Brandon> your router.

What about the authorization in Kerberos applications, eg telnetd
says "if this user has been authenticated as 'bam@...', then
he can login with the Unix Id = bam". Not to mention .k5login
(IIRC) files...

Are there any limitations with this form of authorization?

Thanks for your response.
-- 
Brian May <bmay@csse.monash.edu.au>

Follow-Ups:
- Re: Authorization
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: Authorization
  - From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
- Re: Authorization
  - From: Frank Cusack <fcusack@iconnet.net>

References:
- Re: Authorization
  - From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>

Prev by Date: Re: Authorization
Next by Date: Re: krb5 -> heimdal conversion
Prev by thread: Re: Authorization
Next by thread: Re: Authorization
Index(es):
- Date
- Thread