Automatic FAST via Anonymous PKINIT
Benjamin Kaduk
kaduk at MIT.EDU
Mon Jun 2 17:07:30 EDT 2014
On Mon, 2 Jun 2014, Nathaniel McCallum wrote:
> Even if we use FAST to encrypt all traffic, the temporary anonymous
> ticket will only be used for ASReq requests. #4 provides no benefit to
Right.
> "FAST all the time" apart from ASReqs. The only case where it does make
> sense is in a login system. And the login system should (generally) be a
> Kerberos service in its own right. This is precisely how SSSD works. No
> anonymous ticket is needed because the service has its own ticket which
> is managed in the SSSD ticket ccache.
I expect that there are a lot different deployment models for kerberos,
not all of which involve the login manager managing everything. What you
describe is certainly true for the case that SSSD is trying to solve; I
don't have a good sense for what fraction of deployments it represents.
-Ben
More information about the krbdev
mailing list