Requesting use of addresses in forwardable tickets
Sam Hartman
hartmans at MIT.EDU
Wed Sep 11 16:09:01 EDT 2002
>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
Douglas> Ken Hornstein wrote:
>> >Well then, here is an (untested) mod to the KDC which should
>> not >add addresses if the original TGT did not have addresses:
>>
>> Silly question: Wouldn't this be more appropriate as a
>> client-side modification? E.g., if the client TGT has no
>> addresses,
Douglas> But I don't believe the client can tell if the TGT has
Douglas> addresses or not. The caddrs are in the encrypted part
Douglas> of the ticket encrypted in the krbtgt key.
Sure it does; these are also in the reply. Patch shortly.
>> fwd_tgt becomes almost a no-op (that would cut down one
>> round-trip to the KDC, and that would be a good thing IMHO).
Douglas> Yes it would cut down one round trip, but the flags,
Douglas> times, or authdata might also change. In the future we
Douglas> might come up with something to use instead of addresses
Douglas> to protect against stolen tickets.
I agree with Doug here and prefer to preserve the round trip if for no
other reason than to get a new session key.
More information about the krbdev
mailing list