[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TGT forwarding when cross-realm auth?

To: Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: TGT forwarding when cross-realm auth?
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Mon, 06 Jun 2005 13:17:19 -0500
Cc: vadim <vadim.tarassov@swissonline.ch>, heimdal-discuss@sics.se, Kerberos WG <ietf-krb-wg@anl.gov>
In-Reply-To: <9D6582D0B0F2E98907E729FF@sirius.fac.cs.cmu.edu>
References: <1117870287.13377.17.camel@localhost.localdomain> <42A46C2F.5070304@anl.gov> <9D6582D0B0F2E98907E729FF@sirius.fac.cs.cmu.edu>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803



Jeffrey Hutzelman wrote:

> On Monday, June 06, 2005 10:30:55 AM -0500 "Douglas E. Engert" 
> <deengert@anl.gov> wrote:
> 
>> Even if you had trust setup both ways it would not be allow a
>> a krbtgt/A@B to be issued using the krtgt/B@A this as it would violate
>> the cross-realm trust assumptions because the user is still me@A.
>> Realm A expects the user@A to use the krbtgt/A@A for services in in A.
> 
> 
> Note that this protection does not live entirely in realm B.  A proper 
> KDC for realm A will not honor a krbtgt/A@B ticket for me@A, even if the 
> realm B KDC were to issue one.

Yes, That is what I thought I said.

> 
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

References:
- TGT forwarding when cross-realm auth?
  - From: vadim <vadim.tarassov@swissonline.ch>
- Re: TGT forwarding when cross-realm auth?
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: TGT forwarding when cross-realm auth?
Next by Date: Locking of principales due to unsuccessfull attempts
Prev by thread: Re: TGT forwarding when cross-realm auth?
Next by thread: Re: TGT forwarding when cross-realm auth?
Index(es):
- Date
- Thread