[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.5.2 and v4 cross-realm

At 10:09 AM -0500 3/17/03, assar wrote:
>  * kdc: add option for disabling v4 cross-realm (defaults to off)

Correct me if I'm wrong, but as I understand cross-realm 
authentication the user requests the cross-realm ticket of his own 
KDC, which obtains them on his behalf and forwards them back to him. 
In other words cross-realm ticket requests always originate from the 
other realm's KDC, not directly from the user.

Doesn't this imply that a cross-realm service restriction to a 
specific machine (or set of machines for a given realm) would be a 
"good" alternative to disabling the entire capability?

Am I wrong?  I don't claim to be a Kerberos expert.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu