[krbdev.mit.edu #2940] KDC and kadmin support for TKT_FLG_OK_AS_DELEGATE
DEEngert@anl.gov via RT
rt-comment at krbdev.mit.edu
Wed Feb 23 11:52:54 EST 2005
P.S. Since the Windows XP ksetup has a /setRealmFlags ... Delegate
this is not critical. The client can override the check
for a whole realm.
DEEngert at anl.gov via RT wrote:
> Please consider adding to the KDC and kadmin support to set
> the TKT_FLG_OK_AS_DELEGATE in service tickets.
>
> This can be useful when a MS client using SSPI is asked to
> delegate. It firsts checks the service ticket to see if it
> is OK to delegate to this service.
>
> Mods to PuTTY are available that can use the SSPI for
> ssh gssapi-with-mic. But the SSPI will not delegate to the
> host service if the KDC does not set this flag.
>
> You may also want to consider adding this same check
> in the gss_init_sec_context.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krb5-bugs
mailing list