Request to change MIT Kerberos behavior when principal is expired, deleted or password changed
Greg Hudson
ghudson at MIT.EDU
Fri Mar 7 18:16:52 EST 2014
On 03/07/2014 05:17 PM, Edgecombe, Jason wrote:
> I don't see how anyone can object to rejecting requests for expired or deleted principals.
I don't think anyone has. In the past I have mentioned performance as a
possible issue, but it turns out we have been looking up the client
entry for most TGS requests since 1.7, so that's not a concern.
The change may not be a trivial one to make safely, because there are so
many edge cases in modern TGS request processing.
Be aware that:
* We cannot generally do these checks for cross-realm TGS requests.
* The KDC cannot revoke already-issued service tickets.
More information about the Kerberos
mailing list