[krbdev.mit.edu #8625] Caching Forwarded TGTs
Todd Lubin via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Dec 6 13:10:10 EST 2017
When requesting a forwarded TGT, a client always talks to the KDC.
[krb5_fwd_tgt_creds]
always calls [krb5_get_cred_via_tkt].
When ssh is using GSSAPIDelegateCredentials=yes, this generates KDC traffic
on every new ssh connection.
You could imagine caching forwarded TGTs to avoid this. If addresses are
used, you could cache a forwarded TGT for each destination host.
Is there a particular reason that this is not done? If no, I can submit a
patch for this.
More information about the krb5-bugs
mailing list