Requesting use of addresses in forwardable tickets
Douglas E. Engert
deengert at anl.gov
Wed Sep 11 16:12:01 EDT 2002
Sam Hartman wrote:
> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> Douglas> Sam Hartman wrote:
> >> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> Douglas> Are there (or can there) be any plans to allow a client
> Douglas> to not request addresses in the forwardable tickets? You
> Douglas> can already do this in kinit for the initial ticket.
> >> It seems this is only consistent with the WG direction away
> >> from addresses in tickets by default.
> Douglas> One way would be to not add addresses to a forwardble
> Douglas> tickets if the original TGT did not have addresses.
> >> Sounds like a winner to me.
> Douglas> Well then, here is an (untested) mod to the KDC which
> Douglas> should not add addresses if the original TGT did not have
> Douglas> addresses:
> This should be a client side change not a KDC side change.
The second half of hte note was a client side change, to not add
addresses into the request.
Correct me if I am wrong, but the client can not tell if there
are addreses in the TGT ticket it wishes to use to get another TGT.
as they are in they are enc_part as the caddrs encrypted in the krbtgt key.
If it could tell, it would be an easy client side change.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev