issue with preauth processing
Nicolas Williams
Nicolas.Williams at sun.com
Mon Oct 26 14:34:56 EDT 2009
On Mon, Oct 26, 2009 at 02:33:45PM -0400, Sam Hartman wrote:
> Nicolas> Second, I think it's fair for an application to want to
> Nicolas> avoid the "no pre-auth" and "plain PA-ENC-TIMESTAMP"
> Nicolas> methods, even if the KDC might allow it, in which case
> Nicolas> you'd want the system to try all other pre-auth methods
> Nicolas> available.
>
> I agree.
> I don't think that is what the current interface was intended to be though.
I know. I'm not sure that changing this semantic now would break
anything, but then, I also agree with this:
> At most you need three interfaces:
> * optimistic hint
> * list of mechanisms to avoid because they are constrained against
> * For cases like S4U a specific set of mechanisms we must use.
Except that I'm not sure that there's a real need for an optimistic
hint.
Nico
--
More information about the krbdev
mailing list