-allow_tix and renewable tickets

Chris Hecker checker at d6.com
Tue Nov 27 15:17:49 EST 2012

For those with a long memory, this is still on my "how to ban clients
with kerberos effectively" thread.

I've been thinking about renewable tickets recently, and I haven't had a
chance to test this yet, but does a renew operation check allow_tix or
not?  A glance at the MIT kdc source looks like it doesn't, so I'd need
to make that part of any patch I will eventually send for checking
allow_tix on TGS requests as discussed previously.  I assume it "should"
check the client's not locked out before allowing a renew, right, since
the whole point of renewable tickets is to increase convenience without
giving up on much security, so you want a long renew lifetime but be
able to revoke priviledges in the middle of it?

Wasn't sure if this should be krbdev or kerberos, but since I mentioned
code I figured I'd put it here.


More information about the krbdev mailing list