[krbdev.mit.edu #8625] Caching Forwarded TGTs
Todd Lubin via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Dec 6 17:17:52 EST 2017
That is a good point regarding forwarding the same TGT to different
parties. As you suggested, this doesn't seem like a concern if addresses
are used in tickets and there is care taken to forward TGTs that have
matched addresses. What are your thoughts on doing this only if addresses
are used in tickets?
On Wed, Dec 6, 2017 at 2:49 PM, Greg Hudson via RT <
rt-comment at krbdev.mit.edu> wrote:
> I don't know if there was originally a reason not to cache forwarded
> TGTs. One possible reason is that if you forward the same TGT to
> multiple parties, they will be able to decrypt each others' TGS replies
> and any AP sessions created using the resulting tickets. If you
> forward a different TGT to each party, they cannot read each others'
> sessions.
>
More information about the krb5-bugs
mailing list