flags for allowing tix

Tom Yu tlyu at MIT.EDU
Wed May 21 01:18:21 EDT 2008

Roland Dowdeswell <elric at imrryr.org> writes:

> I've noticed that in the MIT kdc there are a number of flags for
> enabling and disabling the issuance of tickets in various circumstances.
> My thoughts on the topic began when I decided that I'd like a flag
> on a principal to disable AS_REQs _from_ that princ.  This would
> make sense if you know that a principal will solely be used as a
> service and would never AS_REQ.

Could you please elaborate on the situations where you might want to
impose this restriction on a (service) principal?  Keep in mind that
the principal will not be able to change its own key as long as that
flag is set.

I will grant that the non-orthogonality of the flags looks inelegant.
I also think that any attempt to make this set of flags more
orthogonal should also consider requests for user-to-user tickets.

More information about the krbdev mailing list