[4047] in Kerberos
Delegation in KRB
daemon@ATHENA.MIT.EDU (Gary Gaskell)
Tue Oct 18 04:52:17 1994
To: kerberos@MIT.EDU
Date: Tue, 18 Oct 94 04:39:57 GMT
From: gaskell@thunder.dstc.qut.edu.au (Gary Gaskell)
Delegation in Kerberos appears to be only a single hop mechanism. Does
anyone want to comment on whether this is totally true. It appears
to me, that is possible to use forwardable tickets to give a form
of multi-hop delegatiob, but this is does not restrict the priveleges
and so is a poor option.
On reading the RFC it says that the TGS issues a ticket on request
that can be sent to a proxy, but is not a TGS ticket, so from that I
believe the proxy application cannot use the proxy in a second hop.
Comments?
--
regards
Gary Gaskell
DSTC
Cooperative Research Centre for Distributed Systems Technology
Queensland University of Technology
Ph +61-7-864 1051 FAX +61-7-864 1282
Email gaskell@dstc.qut.edu.au URL http://www.dstc.edu.au/intro.html
