capaths questions

Derek Atkins warlord at MIT.EDU
Mon May 17 15:47:38 EDT 2004

Jeffrey Hutzelman <jhutz at> writes:

> On Monday, May 17, 2004 14:28:13 -0400 Derek Atkins <warlord at> wrote:
>> This is irrelevant.  The KDC should _ALWAYS_ choose a direct path in
>> lieu of a hop.  If FNAL and ANL directly share a key you should NEVER
>> (and I mean 100% never) see an intermediary.  I can envision NO
>> policies where you should ever want an intermediary when you have a
>> direct link.
> The KDC doesn't get to choose paths; the client does.

True, but the destination KDC does get to enforce it (as you suggest

> Of course, in the reverse case, things work fine.  That is, if there
> is no direct shared key, and the client thinks there is, it can
> request krbtgt/ANL.GOV at FNAL.GOV and the FNAL.GOV KDC can response with
> a krbtgt/ATHENA.MIT.EDU at FNAL.GOV ticket.  This is the
> routes-are-in-the-KDC's model, and it is equivalent to configuring an
> internet host with only a default route instead of explicit routes to
> every other network on the internet.

This is a very strong argument for server-side configuration and TGS

> -- Jeff


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list