[29222] in Kerberos
Re: Kerberized authorization service
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Mon Feb 11 11:28:17 2008
Message-Id: <200802111625.m1BGPIgV010164@ginger.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <9279.1202746196@malison.ait.iastate.edu>
Date: Mon, 11 Feb 2008 11:25:18 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>I think this has all the elements Jeff thought were essential
>except for:
> 1) a text reason for no <-- not seeing what you would say -- "no means no"?
Let's say, for example, you wanted to require hardware preauthentication for
some services (I doubt _you_ would, but that is something that we do). You
could return a message that says, "Hardware preauthentication is required
to access this system". Or you might want to return a message of the
form, "Kerberos principal kenh@CMF.NRL.NAVY.MIL is not permitted to login to
account hascall". Or you might want to return the message, "You're fired,
piss off!". Or ... well, you get the idea.
I could maybe see the argument that this might be a security issue; if
you think that's the case, the hypothetical authz server could simply
return "Permission denied" for every failure. But if the error text is
returned by the server, that gives you the option of adding more useful
error messages in the future. Me, I've found that the more useful of
an error message you can return, the easier time you have in terms of
user support.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
