[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

Henry B. Hotz wrote:
> I think Michael is on the right track.
> IMO the real problem is that the log entry for no-preauth makes it sound 
> like it's an error when it's not.  This is more a human relations thing 
> than a technical one.  Heimdal's error message is just as 
> ominous-sounding as the MS DC one.
> I'm sure there are situations where the extra round trip needs to be 
> avoided, but not usually.

I agree IHMO, fix the message, its not an error but normal. Let the client trust
the KDC to return the pre-auth options/parameters/seeds as suggested in

If someone wanted to save a few round trips for Kerberos on the network,
a much better place would be to cache (on the client) credentials that are

Every ssh session that delegates, has to get a new TGT to delegate.
Every sshd that receives delegated TGT and uses it to get an AFS
token or maybe an NFSv4 ticket has to get a service ticket for AFS or NFS.
It would be nice if the ssh could cache a TGT and an AFS service ticket,
and then delegate these. It would cut down the load on the KDCs.

mod_auth_kerb with delegation is another example. Every new connection
has to get a new TGT to delegate! That could be one per web page!

> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444