-allow_tix and renewable tickets
checker at d6.com
Tue Nov 27 15:17:49 EST 2012
For those with a long memory, this is still on my "how to ban clients
with kerberos effectively" thread.
I've been thinking about renewable tickets recently, and I haven't had a
chance to test this yet, but does a renew operation check allow_tix or
not? A glance at the MIT kdc source looks like it doesn't, so I'd need
to make that part of any patch I will eventually send for checking
allow_tix on TGS requests as discussed previously. I assume it "should"
check the client's not locked out before allowing a renew, right, since
the whole point of renewable tickets is to increase convenience without
giving up on much security, so you want a long renew lifetime but be
able to revoke priviledges in the middle of it?
Wasn't sure if this should be krbdev or kerberos, but since I mentioned
code I figured I'd put it here.
More information about the krbdev