[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: API differences between Heimdal and MIT

To: Juha Jäykkä <juhaj@iki.fi>
Subject: Re: API differences between Heimdal and MIT
From: Johan Danielsson <joda@pdc.kth.se>
Date: Mon, 06 Feb 2006 10:21:53 +0100
Cc: Gabor Gombas <gombasg@sztaki.hu>, heimdal-discuss@sics.se
In-Reply-To: <20060203145149.6feb2c3d@noether.tfy.utu.fi> (JuhaJäykkä's message of "Fri, 03 Feb 2006 14:51:49 +0200")
References: <20060202161753.20c37c47@noether.tfy.utu.fi><xofhd7giw0d.fsf@shoal.pdc.kth.se><20060203131929.41a3aa60@noether.tfy.utu.fi><20060203115514.GA9959@boogie.lpds.sztaki.hu><20060203145149.6feb2c3d@noether.tfy.utu.fi>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.4 (berkeley-unix)

Juha Jäykkä <juhaj@iki.fi> writes:

> I understand your view, but cannot agree. If match_local_principals()
> succeeds I think there is no reason to block the user just because
> .k5login is *inaccesible* (if it's empty, but readable, I agree: block the
> user). 

You can't have both. Suppose I can trick your fileservers to be
unavailable for a some time -- it's then possible to login even though
I'm not allowed to.

Maybe this should be configurable.

/Johan

Follow-Ups:
- Re: API differences between Heimdal and MIT
  - From: Juha Jäykkä <juhaj@iki.fi>

References:
- API differences between Heimdal and MIT
  - From: Juha Jäykkä <juhaj@iki.fi>
- Re: API differences between Heimdal and MIT
  - From: Johan Danielsson <joda@pdc.kth.se>
- Re: API differences between Heimdal and MIT
  - From: Juha Jäykkä <juhaj@iki.fi>
- Re: API differences between Heimdal and MIT
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Re: API differences between Heimdal and MIT
  - From: Juha Jäykkä <juhaj@iki.fi>

Prev by Date: No Subject
Next by Date: Re: API differences between Heimdal and MIT
Prev by thread: Re: API differences between Heimdal and MIT
Next by thread: Re: API differences between Heimdal and MIT
Index(es):
- Date
- Thread