[32683] in Kerberos
Re: Forwardable tickets - need help
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Sep 17 15:36:17 2010
Date: Fri, 17 Sep 2010 14:34:29 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: egrama <egrama@gmail.com>
Message-ID: <20100917193429.GZ3982@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <193d4e7b-a1d6-49b1-9c14-8119e38f1f1c@g10g2000vbc.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Sep 17, 2010 at 10:40:19AM -0700, egrama wrote:
> Shouldn't a non-forwardable ticket be good only on the host to which
> it was issued to (host A in our example)?
Because of NAT the use of addresses to control where a ticket can be
used from has become difficult at best to keep going, thus many sites
use address-less tickets, which in turn can be "forwarded" anywhere you
want.
The solution to this should be to require that a ticket be used in
conjunction with another ticket for a client host principal
corresponding to the host that the ticket is tied down to. This would
have to be done via authorization-data elements in the Authenticator.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
