[33014] in Kerberos
Re: GSS_C_NO_NAME for desired_name?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Jan 1 13:09:03 2011
From: Russ Allbery <rra@stanford.edu>
To: "kerberos\@mit.edu" <kerberos@mit.edu>
In-Reply-To: <20110101164855.GA4374@talktalkplc.com> (Brian Candler's message
of "Sat, 1 Jan 2011 16:48:55 +0000")
Date: Sat, 01 Jan 2011 10:08:55 -0800
Message-ID: <877heo5weg.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Brian Candler <B.Candler@pobox.com> writes:
> So if I understand it right, there isn't a problem with allowing a service
> to decrypt a ticket using any key in the keytab. The problem is putting
> multiple service principals' keys in the same keytab in the first place.
> Does that make sense?
Yeah, that's the general consensus of most of us who run Kerberos, which
is the reason why people generally don't worry very much about software
accepting any key in the keytab.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
