Proxy for Kerberos?

John Hascall john at
Sun Jul 30 23:10:34 EDT 2006

> John Hascall wrote:
> >    It seems to me that to do this accurately there would need
> >    to be some way to indentify that request 'A' at KDC-1 is
> >    really the same user interaction as request 'B' at KDC-2.
> >    Is there some unique-id in the requests that would even allow this?
> >    (I can't think of one).

Jeffrey Altman wrote:
> But its not just a question of whether two requests to different KDCs
> are part of the same login attempt.  There are other issues such as
> when the client doesn't know which salt to use.

  Are you talking about when the KDC returns KRB5KDC_ERR_PREAUTH_REQUIRED?
  If so, my reading of the code seems to indicate that fail_auth_count
  is not modified in that code path.  Is there some other issue here?


More information about the krbdev mailing list