Using ms2mit...risks?

John Devitofranceschi foonon at gmail.com
Tue Sep 17 08:31:32 EDT 2019


What are the risks of using ms2mit to create an API: ccache?  What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?

I’m interested in setting up ssh ticket forwarding with PuTTY + the MIT gss DLL provided by KfW (4.1) without having to deal with setting unconstrained delegation trusts on the target hosts’ AD objects.  It seems that using Kerberos for Windows with an API: ccache allows me to accomplish this, but now I’m concerned that I may be opening myself up to potential client-side risks which I will need to document and manage somehow.

I’ve searched the mailing list archives about this, but mostly the discussions are about getting things to work vs. the potential consequences once they do.

Any pointers appreciated.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4317 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190917/376bf51c/attachment.bin


More information about the Kerberos mailing list