[32827] in Kerberos
Re: Different behaviour of mod_auth_kerb depending on kerberos stack
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Oct 20 09:49:18 2010
To: Simo Sorce <ssorce@redhat.com>
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 20 Oct 2010 09:49:03 -0400
In-Reply-To: <20101020083034.728a0640@willson.li.ssimo.org> (Simo Sorce's
message of "Wed, 20 Oct 2010 08:30:34 -0400")
Message-ID: <ldvbp6pkm9c.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Simo Sorce <ssorce@redhat.com> writes:
> On Tue, 19 Oct 2010 16:18:10 -0700
> Russ Allbery <rra@stanford.edu> wrote:
>
>> Heimdal is doing that check, but it's apparently smart enough to ask
>> your KDC and resolve the alias first, so it finds the right principal.
>
> Or maybe it just tries all the keys regardless of their principal name,
> and if one succedes in decrypting the payload it just uses it.
> It is probably much faster this way.
We implemented this behavior in MIT Kerberos, but I think the
application needs to avoid specifying an explicit GSS acceptor name in
order for it to work.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
