Requesting use of addresses in forwardable tickets

Sam Hartman hartmans at MIT.EDU
Wed Sep 11 16:09:01 EDT 2002

>>>>> "Douglas" == Douglas E Engert <deengert at> writes:

    Douglas> Ken Hornstein wrote:
    >>  >Well then, here is an (untested) mod to the KDC which should
    >> not >add addresses if the original TGT did not have addresses:
    >> Silly question: Wouldn't this be more appropriate as a
    >> client-side modification?  E.g., if the client TGT has no
    >> addresses,

    Douglas> But I don't believe the client can tell if the TGT has
    Douglas> addresses or not.  The caddrs are in the encrypted part
    Douglas> of the ticket encrypted in the krbtgt key.

Sure it does; these are also in the reply.  Patch shortly.

    >> fwd_tgt becomes almost a no-op (that would cut down one
    >> round-trip to the KDC, and that would be a good thing IMHO).

    Douglas> Yes it would cut down one round trip, but the flags,
    Douglas> times, or authdata might also change. In the future we
    Douglas> might come up with something to use instead of addresses
    Douglas> to protect against stolen tickets.

I agree with Doug here and prefer to preserve the round trip if for no
other reason than to get a new session key.

More information about the krbdev mailing list