Project Review: kinit -C
Sam Hartman
hartmans at MIT.EDU
Wed Sep 15 09:40:12 EDT 2010
>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
Luke> Um, can't we use S4U2Self for this? Or am I missing something
Luke> very obvious?
>>
>> Are s4u2self tickets marked as such?
Luke> No, they're not. S4U2Self is always permitted; the real policy
Luke> knob concerns whether it can get you forwardable tickets,
Luke> which you can then use with S4U2Proxy. S4U2Proxy (constrained
Luke> delegation) tickets are marked with the delegation path.
OK.
I think for this it's desirable to force physical access to the KDC.
So, I don't see avoiding the kdb keytab.
More information about the krbdev
mailing list