[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization

>>>>> "Brandon" == Brandon S Allbery KF8NH <allbery@kf8nh.apk.net> writes:

    Brandon> Authentication: "this user is who s/he claims to be"
    Brandon> Authorization: "this user is permitted to do these
    Brandon> things"

    Brandon> Kerberos only provides the former (well, barring the
    Brandon> w2kproblem "extensions").  You want to have the latter as
    Brandon> well as the former, unless you really want every
    Brandon> principal in your KDC to have administrative access to
    Brandon> your router.

What about the authorization in Kerberos applications, eg telnetd
says "if this user has been authenticated as 'bam@...', then
he can login with the Unix Id = bam". Not to mention .k5login
(IIRC) files...

Are there any limitations with this form of authorization?

Thanks for your response.
Brian May <bmay@csse.monash.edu.au>