Ticket addresses w.r.t. forwarded tickets.
Derek Atkins
warlord at MIT.EDU
Tue Dec 6 10:02:00 EST 2005
Sam Hartman <hartmans at MIT.EDU> writes:
>>>>>> "Roland" == Roland Dowdeswell <Roland.Dowdeswell at MorganStanley.com> writes:
>
> Roland> So, by default the MIT libs when asked to forward tickets
> Roland> to the remote end will decide whether to include addresses
> Roland> in the forwarded ticket by checking your current TGT and
> Roland> seeing whether it has addresses. And the addresses that
> Roland> the libs put in the forwarded ticket are determined via a
> Roland> DNS forward lookup of the remote end's hostname. I would
> Roland> like to have addressed TGTs while forwarding addressless
> Roland> tickets, so I've put together a tiny patch which defines a
> Roland> boolean in the [libdefaults] section of $KRB5_CONFIG to
> Roland> let me do this [below].
>
> Roland> What's the chance of including this in the main tree?
>
> We'd really like to kill off addressful tickets. I'd like to see
> significant demand for this before including it. But if someone else
> wants to commit the patch I would not object.
In delegated credentials I may want to delegate a credential that
may only be used on a particular host.. Otherwise the processes
on the destination may decide to copy my credential and use it
elsewhere, which could be a security hole.
> --Sam
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the krbdev
mailing list