[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Authorization
>>>>> On 25 Nov 1999, "Brian" == Brian May wrote:
>>>>> "Brandon" == Brandon S Allbery KF8NH <allbery@kf8nh.apk.net> writes:
Brandon> Authentication: "this user is who s/he claims to be"
Brandon> Authorization: "this user is permitted to do these things"
Brandon> Kerberos only provides the former (well, barring the w2kproblem
Brandon> "extensions"). You want to have the latter as well as the
Brandon> former, unless you really want every principal in your KDC to
Brandon> have administrative access to your router.
Brian> What about the authorization in Kerberos applications, eg telnetd
Brian> says "if this user has been authenticated as 'bam@...', then he
Brian> can login with the Unix Id = bam". Not to mention .k5login (IIRC)
Brian> files...
I'm not sure exactly what you are asking, but sure, there is authorization
in the Kerberos *apps*, there has to be. In the case of telnet, the
authorization is the standard unix one: if getpwnam() returns an
account, that user can login to that machine. Without a princ -> username
mapping in place, the intuitive one is used. Note that even with valid
Kerberos credentials, you control authorization by entries in /etc/passwd.
Brian> Are there any limitations with this form of authorization?
Sure, lots. :) Most notably security-wise, most sites will use an
insecure back-end authorization service (eg: NIS).
~f