[19877] in Kerberos_V5_Development
Re: Question about excluding the PAC
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Mark_Pr=c3=b6hl?=)
Tue Jan 29 15:59:07 2019
To: "Schwartz, John" <John.Schwartz@anthem.com>,
"krbdev@mit.edu"
<krbdev@mit.edu>
From: =?UTF-8?Q?Mark_Pr=c3=b6hl?= <mark@mproehl.net>
Message-ID: <2c87c5ec-e859-6ea3-3cf6-10d49d820588@mproehl.net>
Date: Tue, 29 Jan 2019 21:58:50 +0100
MIME-Version: 1.0
In-Reply-To: <BN6P169MB0034FC9EE08146E2C0D1FE70919B0@BN6P169MB0034.NAMP169.PROD.OUTLOOK.COM>
Content-Language: de-DE
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
I wonder what kind of Kerberos infrastructure is providing the PAC. In
case of Active Directory you typically can get rid of the pac by
modifying the service account that is associated with the HTTP
principal. This only affects tickets for that particular service.
Maybe your implementation on Linux offers a similar way?
Regards,
Mark Pröhl
On 1/25/19 10:56 PM, Schwartz, John wrote:
> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
>
> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
>
> I see that kinit has the option "--no-request-pac"
>
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
>
> If it needs a custom shared object, can someone provide sample code? I am not able to tell from the existing documentation what needs to be done.
>
> Any assistance is greatly appreciated.
>
> Thank you,
>
> Anthem, Inc.
>
>
>
> John Schwartz, Exec Advisor, Authentication Services
> 21555 Oxnard St., Woodland Hills, California 91367
> O: (818) 234-6763 |
> john.schwartz@anthem.com
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information or may otherwise be protected by law. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message and any attachment thereto.
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
