[krbdev.mit.edu #2641] KRB5_KDB_DISALLOW_SVR flag unnecessari ly prevents User2User
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Thu Jul 22 16:34:58 EDT 2004
>>>>> "pcmoore at sandia" == pcmoore at sandia gov via RT <rt-comment at krbdev.mit.edu> writes:
pcmoore at sandia> I agree that the proposed fix would cause a subtle
pcmoore at sandia> change of KDC behavior, but like Ken, I can't
pcmoore at sandia> imagine that it would catch anyone by surprise.
pcmoore at sandia> And the fix is a really important security feature
pcmoore at sandia> to any site that needs to allow user2user, and to
pcmoore at sandia> require preauthentication.
I don't consider this a high priority for our implementation because
we don't really have a good implementation of U2U at the current time.
We'd need to have SPNEGO, so a client can determine whether it should
be using U2U or normal Kerberos. We'd also need to support the U2U
mechanism.
I'm not sure I see a problem taking the patch under than the change in
semantics.
So again, I continue to believe that the best course of action is to
solicit review of the change in semantics and if people don't complain
then adopt the patch.
More information about the krb5-bugs
mailing list