issue with preauth processing
Sam Hartman
hartmans at MIT.EDU
Mon Oct 26 14:33:45 EDT 2009
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> Second, I think it's fair for an application to want to
Nicolas> avoid the "no pre-auth" and "plain PA-ENC-TIMESTAMP"
Nicolas> methods, even if the KDC might allow it, in which case
Nicolas> you'd want the system to try all other pre-auth methods
Nicolas> available.
I agree.
I don't think that is what the current interface was intended to be though.
At most you need three interfaces:
* optimistic hint
* list of mechanisms to avoid because they are constrained against
* For cases like S4U a specific set of mechanisms we must use.
More information about the krbdev
mailing list