[remctl] Proposal for new credential delegation functionality

Russ Allbery eagle at eyrie.org
Fri Nov 7 14:19:02 EST 2014


Simo Sorce <simo at redhat.com> writes:

> It is a very nice to have, but, it would be really nice if you did not
> use unbounded delegation (ie send the whole TGT) but ratherr allow to
> either just send a ticket (set of tickets) for whatever action may be
> neded, and/or support constrained delegation on the receiving end
> (s4u2proxy).

s4u2proxy feels like the right tool to me.  I don't like the idea of
unconstrained delegation, and constrained delegation where the client
sends a specific ticket requires the client know what ticket to send.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list