issue with preauth processing

Sam Hartman hartmans at MIT.EDU
Mon Oct 26 14:33:45 EDT 2009

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

    Nicolas> Second, I think it's fair for an application to want to
    Nicolas> avoid the "no pre-auth" and "plain PA-ENC-TIMESTAMP"
    Nicolas> methods, even if the KDC might allow it, in which case
    Nicolas> you'd want the system to try all other pre-auth methods
    Nicolas> available.

I agree.
I don't think that is what the current interface was intended to be though.

At most you need three interfaces:
* optimistic hint
* list of mechanisms to avoid because they are constrained against
* For cases like S4U a specific set of mechanisms we must use.

More information about the krbdev mailing list