AW: Resource based kerberos constrained delegation

Greg Hudson ghudson at mit.edu
Tue Jun 28 10:59:02 EDT 2016


On 06/28/2016 06:03 AM, Stefan Dietiker wrote:
> A few months ago I have asked you whether it is possible with krb5-libs to
> do Resource Based Kerberos Constrained Delegation or not. You mentioned
> that the Kerberos libs does not include the PA-PAC-OPTIONS which are
> required for this purpose. Recently I was tracking the changes in the git
> repo and realized that a new option "--request-pac" is available.

I don't believe this change bears any relation to resource based
constrained delegation.  PA-PAC-REQUEST is different from PA-PAC-OPTIONS.

(I would also assume there is substantially more to implementing
resource based constrained delegation on the client than just sending
the PA-PAC-OPTIONS bit, or there would be no reason to have the bit in
the protocol.)


More information about the Kerberos mailing list