Proxy for Kerberos?
John Hascall
john at iastate.edu
Sun Jul 30 23:10:34 EDT 2006
> John Hascall wrote:
> > It seems to me that to do this accurately there would need
> > to be some way to indentify that request 'A' at KDC-1 is
> > really the same user interaction as request 'B' at KDC-2.
> > Is there some unique-id in the requests that would even allow this?
> > (I can't think of one).
Jeffrey Altman wrote:
> But its not just a question of whether two requests to different KDCs
> are part of the same login attempt. There are other issues such as
> when the client doesn't know which salt to use.
Are you talking about when the KDC returns KRB5KDC_ERR_PREAUTH_REQUIRED?
If so, my reading of the code seems to indicate that fail_auth_count
is not modified in that code path. Is there some other issue here?
John
More information about the krbdev
mailing list