Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR
Klaus Heinrich Kiwi
klausk at linux.vnet.ibm.com
Thu Jun 19 09:16:16 EDT 2008
On Wed, 2008-06-18 at 16:54 -0400, Ken Raeburn wrote:
> I think it should be pointed out that such a change would allow
> tickets to start being issued where currently they would not when the
> KDC software gets updated -- even if the latter really was the intent
> of the realm administrator. Because of that, we might instead want to
> create a new flag with the semantics Jeff wants, and leave the
> existing flag with its current (suboptimal) behavior.
Sorry if this question sounds silly, but how much of both these
solutions are implementation specific? Wouldn't such a change require
changes to the current RFC?
-Klaus
--
Klaus Heinrich Kiwi <klausk at linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center
More information about the Kerberos
mailing list