OK-AS-DELEGATE FLAG setting.
hartmans at MIT.EDU
Fri May 9 17:47:55 EDT 2008
>>>>> "Nebergall," == Nebergall, Christopher <cneberg at sandia.gov> writes:
>>> Unless things have changed in the last 6 months or so, neither
>>> Firefox, nor Safari pay any attention to the flag. Only IE,
Nebergall,> The problem is that there is no way of doing it only
Nebergall,> using GSSAPI calls. If there were, it would be no
Nebergall,> problem to add to Firefox. For example the SSPI in
Nebergall,> windows takes care of it transparently. So if you are
Nebergall,> using Firefox on windows using the SSPI just configure
Nebergall,> Firefox to delegate to everything, and the SSPI will
Nebergall,> restrict it automatically.
Nebergall,> This discussion came up a while back.
I think that we have Sandia's patch sitting in our bug database.
If we don't I definitely have it in my email.
I think that MIT Kerberos would be improved by taking the kadmin and kdc parts of that patch (or the similar Redhat patch).
Long term I think that adding OK-AS-Delegate support to libkrb5 and
(although it is harder) gssapi would be a good idea.
I believe the discussion you point to describes all the issues.
More information about the krbdev