a bunch of random krb5 questions
Tom Yu
tlyu at MIT.EDU
Wed Sep 28 15:01:01 EDT 2011
Greg Hudson <ghudson at MIT.EDU> writes:
> On Tue, 2011-09-27 at 01:42 -0400, Chris Hecker wrote:
>
>> 8. For u2u authn, I think the user_user sample is backwards. In other
>> words, it's always the client in a normal krb5 application that calls
>> get_credentials and talks to the KDC, yet in the user_user sample that
>> code is in server.c.
>
> Again, I could only really speculate as to why it's organized that way.
> But even if you reversed the roles, the server would still have to
> maintain a TGT which means talking to the KDC (although that could be
> done by a separate process).
If you take the viewpoint where the client is the process that calls
mk_req, then the roles are backward. If you take the viewpoint where
the client is the process that initiates the client-server
interaction, then the roles are the right way around.
For user-to-user to work, one party has to give another its TGT. In
the user-to-user example, I believe the reason the "client" process is
the one to send its TGT to the other end is because it's possible to
minimize the number of messages that way.
More information about the Kerberos
mailing list