Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR
Jeffrey Altman
jaltman at secure-endpoints.com
Thu Jun 19 09:34:50 EDT 2008
Klaus Heinrich Kiwi wrote:
> On Wed, 2008-06-18 at 16:54 -0400, Ken Raeburn wrote:
>> I think it should be pointed out that such a change would allow
>> tickets to start being issued where currently they would not when the
>> KDC software gets updated -- even if the latter really was the intent
>> of the realm administrator. Because of that, we might instead want to
>> create a new flag with the semantics Jeff wants, and leave the
>> existing flag with its current (suboptimal) behavior.
>
> Sorry if this question sounds silly, but how much of both these
> solutions are implementation specific? Wouldn't such a change require
> changes to the current RFC?
Its not a silly question.
The allow_tix flag is 100% implementation specific. There is no
standardized KDC database format nor is there a standardized kadmin
interface.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080619/d2624f2f/attachment.bin
More information about the Kerberos
mailing list