[krbdev.mit.edu #8625] Caching Forwarded TGTs
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Dec 6 14:49:06 EST 2017
I don't know if there was originally a reason not to cache forwarded
TGTs. One possible reason is that if you forward the same TGT to
multiple parties, they will be able to decrypt each others' TGS replies
and any AP sessions created using the resulting tickets. If you
forward a different TGT to each party, they cannot read each others'
sessions.
More information about the krb5-bugs
mailing list