Different behaviour of mod_auth_kerb depending on kerberos stack
Tom Yu
tlyu at MIT.EDU
Wed Oct 20 09:49:03 EDT 2010
Simo Sorce <ssorce at redhat.com> writes:
> On Tue, 19 Oct 2010 16:18:10 -0700
> Russ Allbery <rra at stanford.edu> wrote:
>
>> Heimdal is doing that check, but it's apparently smart enough to ask
>> your KDC and resolve the alias first, so it finds the right principal.
>
> Or maybe it just tries all the keys regardless of their principal name,
> and if one succedes in decrypting the payload it just uses it.
> It is probably much faster this way.
We implemented this behavior in MIT Kerberos, but I think the
application needs to avoid specifying an explicit GSS acceptor name in
order for it to work.
More information about the Kerberos
mailing list