Ticket addresses w.r.t. forwarded tickets.

Derek Atkins warlord at MIT.EDU
Tue Dec 6 10:02:00 EST 2005

Sam Hartman <hartmans at MIT.EDU> writes:

>>>>>> "Roland" == Roland Dowdeswell <Roland.Dowdeswell at MorganStanley.com> writes:
>     Roland> So, by default the MIT libs when asked to forward tickets
>     Roland> to the remote end will decide whether to include addresses
>     Roland> in the forwarded ticket by checking your current TGT and
>     Roland> seeing whether it has addresses.  And the addresses that
>     Roland> the libs put in the forwarded ticket are determined via a
>     Roland> DNS forward lookup of the remote end's hostname.  I would
>     Roland> like to have addressed TGTs while forwarding addressless
>     Roland> tickets, so I've put together a tiny patch which defines a
>     Roland> boolean in the [libdefaults] section of $KRB5_CONFIG to
>     Roland> let me do this [below].
>     Roland> What's the chance of including this in the main tree?
> We'd really like to kill off addressful tickets.  I'd like to see
> significant demand for this before including it.  But if someone else
> wants to commit the patch I would not object.

In delegated credentials I may want to delegate a credential that
may only be used on a particular host..   Otherwise the processes
on the destination may decide to copy my credential and use it
elsewhere, which could be a security hole.

> --Sam


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list