Request to change MIT Kerberos behavior when principal is expired, deleted or password changed

Greg Hudson ghudson at MIT.EDU
Fri Mar 7 18:16:52 EST 2014


On 03/07/2014 05:17 PM, Edgecombe, Jason wrote:
> I don't see how anyone can object to rejecting requests for expired or deleted principals.

I don't think anyone has.  In the past I have mentioned performance as a
possible issue, but it turns out we have been looking up the client
entry for most TGS requests since 1.7, so that's not a concern.

The change may not be a trivial one to make safely, because there are so
many edge cases in modern TGS request processing.

Be aware that:

* We cannot generally do these checks for cross-realm TGS requests.

* The KDC cannot revoke already-issued service tickets.


More information about the Kerberos mailing list