[1244] in Kerberos_V5_Development
Re: kadm5_init, acquiring initial credentials
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Tue May 28 22:29:53 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU, jik@cam.ov.com
In-Reply-To: Your message of "Tue, 28 May 96 17:44:17 -0400 ."
<9605282144.AA21467@beeblebrox.MIT.EDU>
Date: Tue, 28 May 1996 22:21:24 -0400
From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
-----BEGIN PGP SIGNED MESSAGE-----
The kadm5 api is defined such that it always acquires new tickets for
the kadmin service principal every time it is run.
Does "every time it is run" mean "every time a kadmin client program
is run" or "on every transaction with the database"?
I guess I agree with Richard -- if you really want to put constraints
on this, you should do it via KDC policy (e.g., special permission
bits on changepw, and short ticket lifetime) not (just) code in the
kadmin client library..
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBMau0obT+rHlVUGpxAQF2TAP+JfOT7PltvUFEH4W/nJljkYmCehbWzlyL
MNOTshlPuo0c0QDAebdkw3EtqwviDHxygUydEgV7lf+KlJNT5/SJvzTE62WEMpVr
YciPj1J0CBGUsNxMUUxYAsKB13H4+YjWBoDx0wzlgmsIlnYvSSvZ3lBvKyHmjC8z
e2ZESzNC9xw=
=gseV
-----END PGP SIGNATURE-----
