Are there security risks involved in cross-realm authentication?
When you set up a cross-realm secret, you are in essence trusting the remote KDC to only issue cross-realm tickets for the correct users. If you do not trust the foreign KDC then all principals from the foreign realm are suspect. However, a realm which you share a cross-realm secret with cannot acquire a ticket for a user in your local realm; a foreign KDC can only cause tickets to be issued that identify users from the foreign realm (in other words, there’s no way a KDC can cause a ticket to be generated for a principal in a realm other than it’s own). All of the daemons that come with the MIT Kerberos 5 release do not trust principals in foreign realms by default; you have to explicitly enable them using ACLs. So as long as foreign-realm principals are not on any ACLs in your realm, there isn’t a risk. If you do decide to place foreign-realm principals on ACLs, you will have to remember that the security of that principal depends on the security of the foreign realm.
