Renewable service tickets

Sam Hartman hartmans at MIT.EDU
Mon Jun 14 09:57:56 EDT 2010


>>>>> "ghudson" == ghudson  <ghudson at MIT.EDU> writes:

    ghudson> What I would like to do is make krb5_get_credentials() and
    ghudson> krb5_get_self_cred_from_kdc() not propagate the renewable
    ghudson> flag from the TGT.  
That sounds great.

    ghudson> For the sake of conservatism, I'll
    ghudson> propose adding a new mask to lib/krb5/int-proto.h for use
    ghudson> by those functions, and leaving KDC_TKT_COMMON_MASK alone.

I'd kind of expect the common mask to be the set of things we always ask
for or at least always defaulting to ask for.  As such, I'd prefer that
you change this constant and find a way to mask in renewable in the
forwarding path.  My objection is not strong enough to block things if
you choose to do something else, but I think in this instance, least
surprise trumps conservatism.



More information about the krbdev mailing list