Reason for removing sname check?
Greg Hudson
ghudson at MIT.EDU
Wed Oct 10 12:40:12 EDT 2012
On 10/10/2012 11:27 AM, Tomas Kuthan wrote:
> in MIT krb there used to be a check making sure, that the principal name
> of a keytab entry used to decode enc-part of a ticket equals sname from
> that ticket. But this check went away [...]
We removed this check in 1.7 and changed the way rd_req_dec works in
order to support server principal aliases. You can read a bit about
this at:
http://k5wiki.kerberos.org/wiki/Projects/Aliases#Server_principals
We made further changes to the way rd_req_dec works in 1.10 to support
more flexible handling of GSSAPI acceptor names, as described here:
http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names
More information about the Kerberos
mailing list