capaths questions
Derek Atkins
warlord at MIT.EDU
Mon May 17 15:47:38 EDT 2004
Jeffrey Hutzelman <jhutz at cmu.edu> writes:
> On Monday, May 17, 2004 14:28:13 -0400 Derek Atkins <warlord at mit.edu> wrote:
>> This is irrelevant. The KDC should _ALWAYS_ choose a direct path in
>> lieu of a hop. If FNAL and ANL directly share a key you should NEVER
>> (and I mean 100% never) see an intermediary. I can envision NO
>> policies where you should ever want an intermediary when you have a
>> direct link.
>
> The KDC doesn't get to choose paths; the client does.
True, but the destination KDC does get to enforce it (as you suggest
later).
[snip]
> Of course, in the reverse case, things work fine. That is, if there
> is no direct shared key, and the client thinks there is, it can
> request krbtgt/ANL.GOV at FNAL.GOV and the FNAL.GOV KDC can response with
> a krbtgt/ATHENA.MIT.EDU at FNAL.GOV ticket. This is the
> routes-are-in-the-KDC's model, and it is equivalent to configuring an
> internet host with only a default route instead of explicit routes to
> every other network on the internet.
This is a very strong argument for server-side configuration and TGS
referrals.
> -- Jeff
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the krbdev
mailing list