Multi-round trip extension

Simo Sorce simo at
Mon Sep 1 20:35:32 EDT 2014

On Mon, 2014-09-01 at 16:49 -0500, Nico Williams wrote:
> It'd be nice if the AP / mech protocol could recover from various
> failures by doing one more round-trip, such as:
>  - skew too great
>  - wrong kvno (why force users to kinit?! this is a huge pain-point for
>    users!)
>  - replay cache avoidance (server doesn't want it; challenge/response)
>  - replay cache false positive (if the server is using a probabilistic
>    rcache data structure)
> Protocol-wise we just need an Authenticator flag by which the client/
> initiator can tell the server that it is willing to engage in one
> more round trip.  The server/acceptor needs a way to indicate the
> same in a KRB-ERROR (or through an extended AP-REP, maybe? when the
> server can decrypt the Ticket).
> Discovering HTTP/Negotiate apps that can't deal with more than one
> round trip will. be. fun.  We may have to exempt the HTTP service in
> some cases.

In my experience most will fail, either in the client or in the server,
as you need connection bound state in the server (or complicated session
management even before authentication is completed).


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list