Re: Authorization

[Frank Cusack <fcusack@iconnet.net>]

>>>>> On 25 Nov 1999, "Brian" == Brian May wrote:

>>>>> "Brandon" == Brandon S Allbery KF8NH <allbery@kf8nh.apk.net> writes:

  Brandon> Authentication: "this user is who s/he claims to be"
  Brandon> Authorization: "this user is permitted to do these things"

  Brandon> Kerberos only provides the former (well, barring the w2kproblem
  Brandon> "extensions").  You want to have the latter as well as the
  Brandon> former, unless you really want every principal in your KDC to
  Brandon> have administrative access to your router.

  Brian> What about the authorization in Kerberos applications, eg telnetd
  Brian> says "if this user has been authenticated as 'bam@...', then he
  Brian> can login with the Unix Id = bam". Not to mention .k5login (IIRC)
  Brian> files...

I'm not sure exactly what you are asking, but sure, there is authorization
in the Kerberos *apps*, there has to be. In the case of telnet, the
authorization is the standard unix one: if getpwnam() returns an
account, that user can login to that machine. Without a princ -> username
mapping in place, the intuitive one is used. Note that even with valid
Kerberos credentials, you control authorization by entries in /etc/passwd.

  Brian> Are there any limitations with this form of authorization?

Sure, lots. :) Most notably security-wise, most sites will use an
insecure back-end authorization service (eg: NIS).

~f