Forwardable tickets - need help
Nicolas Williams
Nicolas.Williams at oracle.com
Fri Sep 17 15:34:29 EDT 2010
On Fri, Sep 17, 2010 at 10:40:19AM -0700, egrama wrote:
> Shouldn't a non-forwardable ticket be good only on the host to which
> it was issued to (host A in our example)?
Because of NAT the use of addresses to control where a ticket can be
used from has become difficult at best to keep going, thus many sites
use address-less tickets, which in turn can be "forwarded" anywhere you
want.
The solution to this should be to require that a ticket be used in
conjunction with another ticket for a client host principal
corresponding to the host that the ticket is tied down to. This would
have to be done via authorization-data elements in the Authenticator.
Nico
--
More information about the Kerberos
mailing list