[krbdev.mit.edu #8625] Caching Forwarded TGTs
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Thu Dec 7 11:24:40 EST 2017
[tlubin at janestreet.com - Wed Dec 6 17:17:52 2017]:
> What are your thoughts on doing this only if addresses
> are used in tickets?
I'm not sure that fully resolves the concern; multiple parties with
different privilege levels might be using the same IP address.
I would also question whether it is worth the code complexity at that
point, since it's vanishingly uncommon to use addresses in tickets
these days.
Taking a step back: if the forwarded tickets are used at least once
on the receiving end, at least one TGS request will be made on the
receiving host. So under that condition, caching the forwarded
tickets on the sending host saves at most 50% of TGS requests in this
scenario--not nothing, but not as helpful as many scenarios where we
cache service tickets.
I have heard of scenarios where a browser is configured to forward
tickets when doing Negotiate auth, and since a browser typically
makes many HTTP connections when loading a web page, failure to cache
the forwarded tickets slows down page loads substantially. But I
suspect in these scenarios that the browser configuration is in
error, and the forwarded tickets are never used on the receiving end.
More information about the krb5-bugs
mailing list