[16278] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Sep 15 09:40:34 2010
From: Sam Hartman <hartmans@mit.edu>
To: Luke Howard <lukeh@padl.com>
Date: Wed, 15 Sep 2010 09:40:12 -0400
In-Reply-To: <D7A856EB-8EA8-40A4-A5F4-201F12993437@padl.com> (Luke Howard's
message of "Wed, 15 Sep 2010 15:20:23 +0200")
Message-ID: <tsl4odrm8g3.fsf@live.mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Luke" == Luke Howard <lukeh@padl.com> writes:
Luke> Um, can't we use S4U2Self for this? Or am I missing something
Luke> very obvious?
>>
>> Are s4u2self tickets marked as such?
Luke> No, they're not. S4U2Self is always permitted; the real policy
Luke> knob concerns whether it can get you forwardable tickets,
Luke> which you can then use with S4U2Proxy. S4U2Proxy (constrained
Luke> delegation) tickets are marked with the delegation path.
OK.
I think for this it's desirable to force physical access to the KDC.
So, I don't see avoiding the kdb keytab.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
