Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 1.17. Are there security risks involved in cross-realm authentication?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Property taxes ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.16. What is cross-realm authentication?
Next Document: 1.18. Are there any known weaknesses in Kerberos?
See reader questions & answers on this topic! - Help others by sharing your knowledge

When you set up a cross-realm secret, you are in essence trusting the remote
KDC to only issue cross-realm tickets for the correct users. If you do not
trust the foreign KDC then all principals from the foreign realm are
suspect.

However, a realm which you share a cross-realm secret with cannot acquire a
ticket for a user in your local realm; a foreign KDC can only cause tickets
to be issued that identify users from the foreign realm (in other words,
there's no way a KDC can cause a ticket to be generated for a principal in a
realm other than it's own).

All of the daemons that come with the MIT Kerberos 5 release do not trust
principals in foreign realms by default; you have to explicitly enable them
using ACLs. So as long as foreign-realm principals are not on any ACLs in
your realm, there isn't a risk.

If you do decide to place foreign-realm principals on ACLs, you will have to
remember that the security of that principal depends on the security of the
foreign realm.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.16. What is cross-realm authentication?
Next Document: 1.18. Are there any known weaknesses in Kerberos?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM