On Sun, Apr 26, 2015 at 07:08:38AM -0500, Ben H wrote:
>
> Thanks all. Continued appreciation for your contributions and guidance.
Although I am not sure if it influenced the original design decisions,
there are also some operational benefits. At a lot of companies,
you may have different teams
Thanks all. Continued appreciation for your contributions and guidance.
On Sat, Apr 25, 2015 at 10:29 AM, Greg Hudson wrote:
> On 04/24/2015 06:05 PM, Ben H wrote:
> > So from a privilege separation perspective, are we talking more from a
> > hardening perspective? E.g. if I can compromise ser
On 04/24/2015 06:05 PM, Ben H wrote:
> So from a privilege separation perspective, are we talking more from a
> hardening perspective? E.g. if I can compromise serviceA that would
> give me the key to serviceB?
Yes.
> While that is a valid concern - if we were to guarantee (theoretically)
> that
On Fri, Apr 24, 2015 at 05:05:32PM -0500, Ben H wrote:
> Nico - I'm not sure I understand your redirection statement. Is this from
> a "man-in-the-middle" type perspective? The fact that each application
> communicates over a specific port would be enough to direct to the correct
> service, no?
Thanks Simo - I think that your explanation mostly answers the first part
from my reply!
On Fri, Apr 24, 2015 at 5:05 PM, Ben H wrote:
> Greg -
>
> So from a privilege separation perspective, are we talking more from a
> hardening perspective? E.g. if I can compromise serviceA that would give
>
Greg -
So from a privilege separation perspective, are we talking more from a
hardening perspective? E.g. if I can compromise serviceA that would give
me the key to serviceB?
While that is a valid concern - if we were to guarantee (theoretically)
that serviceA couldn't be breached (or there was a
On Fri, 2015-04-24 at 16:46 -0400, Greg Hudson wrote:
> On 04/24/2015 03:37 PM, Ben H wrote:
> > Why not simply use host/serverA.domain.com for both services?
>
> At a protocol level, it's to support privilege separation on the server.
> The CIFS server doesn't need access to the LDAP server key
On Fri, Apr 24, 2015 at 04:46:55PM -0400, Greg Hudson wrote:
> On 04/24/2015 03:37 PM, Ben H wrote:
> > Why not simply use host/serverA.domain.com for both services?
>
> At a protocol level, it's to support privilege separation on the server.
> The CIFS server doesn't need access to the LDAP serv
On 04/24/2015 03:37 PM, Ben H wrote:
> Why not simply use host/serverA.domain.com for both services?
At a protocol level, it's to support privilege separation on the server.
The CIFS server doesn't need access to the LDAP server key and vice versa.
Of course you only get this benefit if (a) the
I've worked with Kerberos implementations for a while, but almost
exclusively with AD in the KDC role (though MIT clients as well).
This may sound like a beginner question because of my lack of experience
with "pure" Kerberos.
When accessing services we require a service ticket for each principal,
10 matches
Mail list logo
