[36317] in Kerberos
Re: Client keytab ignored when CC has expired
daemon@ATHENA.MIT.EDU (Michael Osipov)
Thu Jul 31 17:26:02 2014
Message-ID: <53DAB45F.3080802@gmx.net>
Date: Thu, 31 Jul 2014 23:25:51 +0200
From: Michael Osipov <1983-01-06@gmx.net>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <53DA6653.9030906@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Am 2014-07-31 um 17:52 schrieb Greg Hudson:
> On 07/31/2014 03:24 AM, Michael Osipov wrote:
>> That sounds reasonable and should solve the issue. Albeit, I do think that the detection
>> algorithm could be better and pursue a best-effort/match/seldom-fail approach. It make the
>> entire process idiot-proof.
>
> I have opened a ticket for this:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7976
Great, waiting for this in 1.13 eagerly.
> I'm not sure if the process can be made completely idiot-proof, but it
> can certainly work better for the case where someone manually obtains
> credentials for the same principal as the one in the client keytab.
It would be better, at least.
> If a person gets credentials for a different principal, it's harder to be
> predictable.
If principals do not match, I would it expect to fail explicitly. Unless
someone uses a DIR-style CC and knows how to operate with kswitch.
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
