[remctl] Proposal for new credential delegation functionality
Russ Allbery
eagle at eyrie.org
Fri Nov 7 14:19:02 EST 2014
Simo Sorce <simo at redhat.com> writes:
> It is a very nice to have, but, it would be really nice if you did not
> use unbounded delegation (ie send the whole TGT) but ratherr allow to
> either just send a ticket (set of tickets) for whatever action may be
> neded, and/or support constrained delegation on the receiving end
> (s4u2proxy).
s4u2proxy feels like the right tool to me. I don't like the idea of
unconstrained delegation, and constrained delegation where the client
sends a specific ticket requires the client know what ticket to send.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list