[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal 0.5.2 and v4 cross-realm
At 10:09 AM -0500 3/17/03, assar wrote:
> * kdc: add option for disabling v4 cross-realm (defaults to off)
Correct me if I'm wrong, but as I understand cross-realm
authentication the user requests the cross-realm ticket of his own
KDC, which obtains them on his behalf and forwards them back to him.
In other words cross-realm ticket requests always originate from the
other realm's KDC, not directly from the user.
Doesn't this imply that a cross-realm service restriction to a
specific machine (or set of machines for a given realm) would be a
"good" alternative to disabling the entire capability?
Am I wrong? I don't claim to be a Kerberos expert.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or email@example.com