[32435] in Kerberos
Re: bug?: erroneous start time for max renewable life check
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Tue Jun 8 07:25:19 2010
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kerberos@mit.edu
Message-ID: <4C0E2892.1080300@secure-endpoints.com>
Date: Tue, 08 Jun 2010 07:25:06 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <20100517233705.GA43099@ucar.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============1441328477=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1441328477==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms010009040408050603000605"
This is a cryptographically signed message in MIME format.
--------------ms010009040408050603000605
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 5/17/2010 7:37 PM, Richard Johnson wrote:
>
> The misbehavior:
>
> When a TGT with the Renewable flag set is used to obtain an ftp or host=
ticket
> on an MIT Kerberos client, that ftp or host service ticket also has the=
> Renewable flag set. I call this misbehavior as it seems nonsensical. =
If an
> ftp or host service ticket is expired, a new one will be obtained; ther=
e's no
> need to make them renewable.
It would only be nonsensical if the assumption that the obtained service
ticket would never be used
without possession of the TGT. A renewable service ticket permits
that ticket to be handed off
to a process which is meant to do a specific task (local or remote)
without the dangers inherent in
delegating a TGT.
Jeffrey Altman
--------------ms010009040408050603000605--
--===============1441328477==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1441328477==--
