Requesting use of addresses in forwardable tickets

Douglas E. Engert deengert at
Wed Sep 11 16:20:01 EDT 2002

Sam Hartman wrote:
> >>>>> "Douglas" == Douglas E Engert <deengert at> writes:
>     Douglas> Ken Hornstein wrote:
>     >>  >Well then, here is an (untested) mod to the KDC which should
>     >> not >add addresses if the original TGT did not have addresses:
>     >>
>     >> Silly question: Wouldn't this be more appropriate as a
>     >> client-side modification?  E.g., if the client TGT has no
>     >> addresses,
>     Douglas> But I don't believe the client can tell if the TGT has
>     Douglas> addresses or not.  The caddrs are in the encrypted part
>     Douglas> of the ticket encrypted in the krbtgt key.
> Sure it does; these are also in the reply.  Patch shortly.

Yes I see, You and Matt have pointed that out.

>     >> fwd_tgt becomes almost a no-op (that would cut down one
>     >> round-trip to the KDC, and that would be a good thing IMHO).
>     Douglas> Yes it would cut down one round trip, but the flags,
>     Douglas> times, or authdata might also change. In the future we
>     Douglas> might come up with something to use instead of addresses
>     Douglas> to protect against stolen tickets.
> I agree with Doug here and prefer to preserve the round trip if for no
> other reason than to get a new session key.
> _______________________________________________
> krbdev mailing list             krbdev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list