[15895] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Renewable service tickets

daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Jun 14 09:58:07 2010

From: Sam Hartman <hartmans@mit.edu>
To: ghudson@mit.edu
Date: Mon, 14 Jun 2010 09:57:56 -0400
In-Reply-To: <201006091659.o59Gxf5X002414@outgoing.mit.edu> (ghudson@mit.edu's
	message of "Wed, 9 Jun 2010 12:59:41 -0400 (EDT)")
Message-ID: <tsliq5lzpgb.fsf@mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

>>>>> "ghudson" == ghudson  <ghudson@MIT.EDU> writes:

    ghudson> What I would like to do is make krb5_get_credentials() and
    ghudson> krb5_get_self_cred_from_kdc() not propagate the renewable
    ghudson> flag from the TGT.  
That sounds great.

    ghudson> For the sake of conservatism, I'll
    ghudson> propose adding a new mask to lib/krb5/int-proto.h for use
    ghudson> by those functions, and leaving KDC_TKT_COMMON_MASK alone.

I'd kind of expect the common mask to be the set of things we always ask
for or at least always defaulting to ask for.  As such, I'd prefer that
you change this constant and find a way to mask in renewable in the
forwarding path.  My objection is not strong enough to block things if
you choose to do something else, but I think in this instance, least
surprise trumps conservatism.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post