[120] in Zephyr_Comments
Re: inconsistent Kerberos behavior
daemon@ATHENA.MIT.EDU (Jerome H. Saltzer)
Wed Oct 26 17:31:10 1988
Date: Wed, 26 Oct 88 17:30:17 EDT
To: John T Kohl <jtkohl@ATHENA.MIT.EDU>
Cc: zephyr-comments@ATHENA.MIT.EDU, Jerome H Saltzer <Saltzer@ATHENA.MIT.EDU>
In-Reply-To: John T Kohl <jtkohl@ATHENA.MIT.EDU>'s message of Wed, 26 Oct 88 16:50:25 EDT
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
> The inconsistency arises because the Kerberos library does not tell
> clients that the tickets they are about to present to a server have
> expired, coupled with the Zephyr server's handling of
> claim-to-be-but-aren't-authentic notices.
> The client, zwrite, just sends stuff off to the server, and since it
> finds tickets, krb_mk_req doesn't complain at all, even if the tickets
> have expired. [If there is no ticket file, the krb_mk_req complains,
> and so does zwrite.]
In that case, couldn't you make it consistent by having zwrite send a
request to the server even if krb_mk_req doesn't find a ticket? What
is wrong with sending an unauthentic message?
Jerry
