söndag 19 oktober 2008

ok-as-delegate and GSS-API

Background


To forward your Kerberos credential from a gss-api client to a server you turn on the flag GSS_C_DELEG_FLAG. This will, as part of the authentication, forward your tickets to the server.

The problem is that you don't want to turn on this just for every server your what to authenticate to, because most of them should probably not be trusted with your tickets.

To solve this Microsoft added an extention to the Kerberos, that was added to RFC4120 (The Kerberos protocol RFC). The extention is called ok-as-delegate and is a ticket flag. Using the flag the client can determine that the system administrator thinks about the host, if it should be delegated too or not.

Non Microsoft sites have been using GSS-API implementations that doesn't honor the flag ok-as-delegate and most of them never has set the ok-as-delegate flag. In some cases the sites are using Kerberos implementations that doesn't even support setting the ok-as-delegate flag in the Kerberos database.

Users at these sites have grown accustomed to the behavior ok GSS_C_DELEG_FLAG and changing the GSS-API implementation behind them to make GSS_C_DELEG_FLAG honor the ok-as-delegate flag will only make people upset.

New flag


What we can do it introduce a new flag GSS_C_DELEG_POLICY_FLAG that is defined to honor the flag ok-as-delegate.

The flag GSS_C_DELEG_POLICY_FLAG is a local flag that is never seen on the wire. And, its only used by the initator, the acceptor never see the flag.

There are four cases where GSS_C_DELEG_POLICY_FLAG and GSS_C_DELEG_FLAG interact with each other and the resulting return flags.

  • Neither flag set
    do nothing with regard to delegation

  • GSS_C_DELEG_FLAG set
    always try go delegate and set GSS_C_DELEG_FLAG in the return flags if successful

  • GSS_C_DELEG_POLIY_FLAG set
    try to delegate if ok-as-delegate is set, delegate and set GSS_C_DELEG_FLAG and GSS_C_DELEG_POLICY_FLAG in the return flags if successful

  • GSS_C_DELEG_FLAG and GSS_C_DELEG_POLIY_FLAG setalways try to delegate, set GSS_C_DELEG_FLAG if successful in the return flags if successful. Also, if successful and ok-as-delegate was set on the service ticket, set GSS_C_DELEG_POLICY_FLAG in the return flags.


Cross realm ?


What is missing is how ok-as-delegate and GSS_C_DELEG_POLICY_FLAG should work in the cross realm case. RFC4120 is quiet on this issue, the flag on ok-as-delegate doesn't mean anything on the cross realm tgt. The question is how this should be dealt with.

The obvious answer is define a meaning on the cross realm tgt ticket for ok-as-delegate, but how will that interact with existing deployments.

Current behavior is for released MIT and heimdal is that the flag is ignored. For Microsoft clients is that they honor the flag for windows domains, and to external realms they allow delegation is a flag is set on the realm configuration on the client.

Any good ideas out there ?

21 kommentarer:

  1. Great blog! Outstanding lines. Keep up the amazing effort. To improve my website! suppose its good enough to use some of your ideas!! I simply couldn't leave your site just my reading this blog. I am really impressed with the content and way of writing. Keep sharing more.
    Divorce Lawyers Roanoke VA
    virginia emergency protective order

    SvaraRadera
  2. Introducing GSS_C_DELEG_POLICY_FLAG seems like a practical solution to maintain control over delegation. The cross-realm issue certainly requires careful consideration for seamless integration.
    Divorcio en Estado de Nueva York ¿Cuánto Tiempo Lleva?

    SvaraRadera
  3. To create an innovation culture within an organization, focus on key areas such as leadership support, clear objectives and vision, open communication, risk-taking and experimentation, recognition and rewards, cross-functional collaboration, investment in resources, continuous learning and development, customer-centric focus, and adaptability and flexibility. Leaders should actively champion innovation initiatives, defining clear objectives and visions, encouraging open communication, and recognizing and rewarding innovative thinking. Cross-functional collaboration across departments and teams is also crucial. Providing necessary resources, continuous learning, and customer-centric focus can help create a culture where innovation thrives and becomes ingrained in the organization's DNA.virginia reckless driving attorney costA licensed professional, a lawyer advises and represents clients in a variety of legal matters, including criminal, family, personal injury, and business law. By educating people about their legal rights and options, representing them in court, settling disputes, preparing legal documents, conducting research, and standing up for their clients' interests, they play a critical role in society.

    SvaraRadera
  4. Den här kommentaren har tagits bort av skribenten.

    SvaraRadera
  5. The article provides a thorough analysis of Kerberos authentication's ok-as-delegate flag, its function in GSS-API architecture, its impact on security and use cases, and clarifies potential security concerns and mitigating techniques for sensitive contexts, making it an excellent resource for secure authentication mechanisms.
    arlington family lawyer

    SvaraRadera
  6. OK-AS-DELEGATE and GSS-API are crucial components in network security, particularly in Kerberos authentication systems. OK-AS-DELEGATE is a Kerberos flag set by a KDC, allowing a service to delegate user credentials to another service.
    reckless driving bristol virginia
    If you're facing reckless driving charges in Bristol, Virginia, a qualified attorney can help you understand your rights and navigate the legal process. They can work to reduce penalties, minimize fines, or potentially dismiss the charges to protect your driving record and future.

    SvaraRadera
  7. The speaker is seeking clarification on the GSS-API and delegation ideas, and is available to assist with technical aspects, implementation, and other questions.dui lawyer rockland county ny

    SvaraRadera
  8. This article provides a comprehensive explanation of the Generic Security Services Application Program Interface (GSS-API) and the OK-as-Delegate mechanism, highlighting its ease of delegating authentication while maintaining security. It provides real-world context and comparisons with other delegation techniques, but a section on typical challenges faced by developers would enhance the text. federal criminal defense lawyer maryland This article discusses the role of a federal criminal defense attorney in Maryland,
    emphasizing the importance of knowledgeable legal counsel.

    SvaraRadera
  9. It can be difficult to set up safe delegation using ok-as-delegate and GSS-API; careful setting is needed to strike a balance between security and functionality. Performance and Compatibility Despite GSS-API's versatility, compatibility problems may arise with certain outdated systems. Delegating may also result in overhead, thus it's critical to evaluate the performance impact.
    immigration to the us from india

    SvaraRadera
  10. You seem to be talking about "OK-as-Delegate" and "GSS-API." Could you be more precise about the information you are seeking? Do you want to know how they connect to security protocols, authentication, or anything else?semi truck accident lawyer

    SvaraRadera
  11. The Heimdal blog helps readers stay up to date on digital safety and protection tactics by providing insights on cybersecurity trends, threats, and solutions. criminal defense lawyer arlington va For those facing criminal charges, a criminal defense attorney in Arlington, Virginia, offers knowledgeable legal counsel, guaranteeing that their rights are upheld at every stage of the proceedings.

    SvaraRadera
  12. Excellent tutorial! Your walkthrough on using OK as a delegate and GSS API is incredibly clear and informative. The code examples and explanations helped me understand the concepts much better. Thanks for sharing your expertise. Want to know about divorcio indiscutido sin culpa en virginia click it.

    SvaraRadera
  13. The ok-as-delegate and GSS-API (Generic Security Service Application Program Interface) are important concepts in network security. ok-as-delegate allows secure delegation of credentials, while GSS-API facilitates secure communication by abstracting authentication mechanisms. Both are crucial in enabling trusted authentication and secure interactions between clients and services. assault and battery first offense SrisLaw offers personalized, reliable solutions for all your legal needs. Trust us to protect your interests — schedule a consultation today!

    SvaraRadera
  14. The GSS-API is a standard interface for applications to access security services like integrity, confidentiality, and authentication. It provides a consistent API for programs and abstracts various security techniques like SPNEGO and Kerberos. Delegation in GSS-API or other security protocols allows a service to act on behalf of a client.semi truck accident attorney

    SvaraRadera
  15. Your blog is new to me, but I’m already impressed by the quality and clarity. Protect your future with a skilled Roanoke Sex Crime Lawyer. We handle all sex crime charges with professionalism and expertise. Schedule a consultation now.

    SvaraRadera
  16. The text explains the concept of a "OK as Delegate" statement, which indicates that an operation or activity is accepted or successful. A delegate is an object or function that manages a task on behalf of another object in software development. In JavaScript or C#, a delegate is a type-safe function pointer.truck accident

    SvaraRadera
  17. In authentication systems, especially Kerberos, the "ok-as-delegate" flag is used to permit one principal to operate on behalf of another. It facilitates the establishment of safe, delegated communications between systems when used in tandem with GSS-API (Generic Security Services Application Programming Interface). This configuration ensures security and flexibility in distributed systems and is essential for situations requiring the safe, reliable delegation of actions or credentials.traffic attorney in manassas va In Manassas, Virginia, and dealing with a traffic ticket? A knowledgeable traffic lawyer can preserve your driving record, reduce fines, and offer advice on how to comply with local traffic regulations. Your chances of getting fines, points, or even having charges dropped are higher if you have legal counsel.

    SvaraRadera
  18. strong foundation for safe, delegated communication and authentication in intricate networked settings, but they can be difficult for developers who are not familiar with security protocols. When properly set up, they provide for scalable and secure applications, especially in business or multi-service settings where secure message transmission and authentication are essential.
    how much jail time for domestic violence in virginia

    SvaraRadera
  19. It's a severe matter to be charged of domestic violence in New Jersey. Criminal charges, restraining orders, and maybe jail time could result from it. To safeguard your rights, get legal advice straight away.
    Accused Of Domestic Violence in New Jersey

    SvaraRadera
  20. The OK-AS-DELEGATE flag in Kerberos authentication, when combined with GSS-API, enables secure delegation of user credentials to trusted services. This ensures that programs can act on users' behalf while maintaining security, making it an important feature for multi-tiered architectures. Adding this flag to GSS-API allows administrators to better manage and regulate access, improving overall system security.
    virginia reckless driving ticket

    SvaraRadera