Forwardable tickets - need help

Nicolas Williams Nicolas.Williams at oracle.com
Fri Sep 17 15:34:29 EDT 2010


On Fri, Sep 17, 2010 at 10:40:19AM -0700, egrama wrote:
> Shouldn't a non-forwardable ticket be good only on the host to which
> it was issued to (host A in our example)?

Because of NAT the use of addresses to control where a ticket can be
used from has become difficult at best to keep going, thus many sites
use address-less tickets, which in turn can be "forwarded" anywhere you
want.

The solution to this should be to require that a ticket be used in
conjunction with another ticket for a client host principal
corresponding to the host that the ticket is tied down to.  This would
have to be done via authorization-data elements in the Authenticator.

Nico
-- 



More information about the Kerberos mailing list