Anonymous, s4u and authorization data

Sam Hartman hartmans at MIT.EDU
Thu Dec 17 11:07:26 EST 2009

Luke, the anonymous draft requires that the KDC trim authorization data
that is in the ticket.  I've implemented the following mechanisms and
wanted your advice on whether they break anything.

* I've added a new AUTHDATA_FLAG_ANONYMOUS flag; if that is set then
  we'll call the authdata system if the ticket has the anonymous flag
  set; otherwise we will not.
* I set that flag on the tgs-req and tgt authdata systems but no others.

In particular, I think this means that the kdb plugin, and signed
delegation path plugins will be skipped for anonymous tickets.

I'm not sure whether this is right.  It's quite clear we cannot simply
call the kdb plugin: we definitely do not want a PAC issued.  However I
haven't really thought through the s4u implications yet.  Your thoughts
would be appreciated.


More information about the krbdev mailing list