[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.5.2 and v4 cross-realm

To: assar <assar@kth.se>, heimdal-discuss@sics.se
Subject: Re: heimdal 0.5.2 and v4 cross-realm
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 17 Mar 2003 18:10:07 -0800
In-Reply-To: <m2llzef2sh.fsf@PERMABIT-1-188.permabit.com>
References: <m2llzef2sh.fsf@PERMABIT-1-188.permabit.com>
Sender: owner-heimdal-discuss@sics.se

At 10:09 AM -0500 3/17/03, assar wrote:
>  * kdc: add option for disabling v4 cross-realm (defaults to off)

Correct me if I'm wrong, but as I understand cross-realm 
authentication the user requests the cross-realm ticket of his own 
KDC, which obtains them on his behalf and forwards them back to him. 
In other words cross-realm ticket requests always originate from the 
other realm's KDC, not directly from the user.

Doesn't this imply that a cross-realm service restriction to a 
specific machine (or set of machines for a given realm) would be a 
"good" alternative to disabling the entire capability?

Am I wrong?  I don't claim to be a Kerberos expert.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: heimdal 0.5.2 and v4 cross-realm
  - From: joda@pdc.kth.se (Johan Danielsson)

Prev by Date: Re: Problem building Heimdal appl.
Next by Date: Re: heimdal 0.5.2 and v4 cross-realm
Prev by thread: Re: Problem building Heimdal appl.
Next by thread: Re: heimdal 0.5.2 and v4 cross-realm
Index(es):
- Date
- Thread