[36315] in Kerberos
Re: Client keytab ignored when CC has expired
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jul 31 11:53:08 2014
Message-ID: <53DA6653.9030906@mit.edu>
Date: Thu, 31 Jul 2014 11:52:51 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Michael Osipov <1983-01-06@gmx.net>
In-Reply-To: <trinity-e3193417-fbb4-4b72-ab37-3dafbcb35a53-1406791474093@3capp-gmx-bs30>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/31/2014 03:24 AM, Michael Osipov wrote:
> That sounds reasonable and should solve the issue. Albeit, I do think that the detection
> algorithm could be better and pursue a best-effort/match/seldom-fail approach. It make the
> entire process idiot-proof.
I have opened a ticket for this:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7976
I'm not sure if the process can be made completely idiot-proof, but it
can certainly work better for the case where someone manually obtains
credentials for the same principal as the one in the client keytab. If
a person gets credentials for a different principal, it's harder to be
predictable.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
