On Fri, Jan 18, 2013 at 1:35 PM, Russ Allbery <[email protected]> wrote: > Nico Williams <[email protected]> writes: >> There's really no point to the /admin thing: since the server requires >> INITIAL tickets there's no risk of use of stolen TGTs for accessing >> kadmin, and if you were to have different pre-authentication >> requirements for kadmin than for initial TGTs the protocol does allow >> that. > > Er, it's still a good security practice to use a separate set of > credentials that you don't type into everything all the time to do your > daily work. Particularly given that we still live in a world where > there's a lot of SASL PLAIN over TLS.
That might be true, but a) do you really think that people use different passwords for */admin principals than their regular user principals? and b) there's no reason that we couldn't have different credentials for this without having different identifiers. > It also lets you do things like assign /admin principals randomized keys > and require that people use PKINIT. kadmind could just require that hardware pre-auth have been done in order to allow certain operations. See also (b) above. Granted, (b) could only work as long as kadmind requires INITIAL tickets, or, if it didn't, as long as the client knew how to request extra/different pre-auth and the KDC knew how to label the resulting tickets as being differently pre-authenticated. And yes, we can do that. > So no, there is definitely a point. But I don't believe that distinct names is necessary for this. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
