[krbdev.mit.edu #8625] Caching Forwarded TGTs

Todd Lubin via RT rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Dec 6 17:17:52 EST 2017


That is a good point regarding forwarding the same TGT to different
parties. As you suggested, this doesn't seem like a concern if addresses
are used in tickets and there is care taken to forward TGTs that have
matched addresses. What are your thoughts on doing this only if addresses
are used in tickets?

On Wed, Dec 6, 2017 at 2:49 PM, Greg Hudson via RT <
rt-comment at krbdev.mit.edu> wrote:

> I don't know if there was originally a reason not to cache forwarded
> TGTs.  One possible reason is that if you forward the same TGT to
> multiple parties, they will be able to decrypt each others' TGS replies
> and any AP sessions created using the resulting tickets.  If you
> forward a different TGT to each party, they cannot read each others'
> sessions.
>



More information about the krb5-bugs mailing list