[7595] in Kerberos
Re: Question about the security of forwarded TGTs
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Jul 4 15:12:52 1996
To: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Cc: kerberos@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 04 Jul 1996 14:59:51 -0400
In-Reply-To: kenh@cmf.nrl.navy.mil's message of 2 Jul 1996 18:54:51 -0400
>>>>> "Ken" == Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
Ken> In article <tslhgrqed3c.fsf@tertius.mit.edu>, Sam Hartman
Ken> Okay, I see. So as long as I've authenticated to the server,
Ken> then it will use the session key that it got for talking with
Ken> that principal, right? (Assuming that I use krb5_fwd_tgt(),
Ken> which I am).
Yes, this is sufficient so long as you pass in the
auth_context that you used with krb5_mk_req or krb5_sendauth when you
forward the credentials. If you use an auth_context that isn't
correct, you should get a decrypt integrity error on the remote side.
