Requesting use of addresses in forwardable tickets
Douglas E. Engert
deengert at anl.gov
Wed Sep 11 16:20:01 EDT 2002
Sam Hartman wrote:
>
> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
>
> Douglas> Ken Hornstein wrote:
> >> >Well then, here is an (untested) mod to the KDC which should
> >> not >add addresses if the original TGT did not have addresses:
> >>
> >> Silly question: Wouldn't this be more appropriate as a
> >> client-side modification? E.g., if the client TGT has no
> >> addresses,
>
> Douglas> But I don't believe the client can tell if the TGT has
> Douglas> addresses or not. The caddrs are in the encrypted part
> Douglas> of the ticket encrypted in the krbtgt key.
>
> Sure it does; these are also in the reply. Patch shortly.
Yes I see, You and Matt have pointed that out.
>
> >> fwd_tgt becomes almost a no-op (that would cut down one
> >> round-trip to the KDC, and that would be a good thing IMHO).
>
> Douglas> Yes it would cut down one round trip, but the flags,
> Douglas> times, or authdata might also change. In the future we
> Douglas> might come up with something to use instead of addresses
> Douglas> to protect against stolen tickets.
>
> I agree with Doug here and prefer to preserve the round trip if for no
> other reason than to get a new session key.
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list