[20082] in Kerberos_V5_Development
Re: authentication indicators and S4U2Self
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 6 15:29:52 2020
To: Alexander Bokovoy <abokovoy@redhat.com>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <dd7700d9-40cd-b56c-7584-6a65d758f98b@mit.edu>
Date: Wed, 6 May 2020 15:29:29 -0400
MIME-Version: 1.0
In-Reply-To: <20200506182019.GK5611@redhat.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 5/6/20 2:20 PM, Alexander Bokovoy wrote:
> Together with Isaac we were looking into cross-realm S4U2Self
> implementation in FreeIPA and I noticed that MIT Kerberos does not allow
> to issue S4U2Self service ticket to a service protected with
> an authentication indicator.
I think we can just omit the indicator check for S4U2Self requests.
Restricting how strong the initial ticket acquisition must have been to
access a service has nothing to do with the service fetching tickets for
itself.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
