[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: preauth_always option?
Henry B. Hotz wrote:
> I think Michael is on the right track.
> IMO the real problem is that the log entry for no-preauth makes it sound
> like it's an error when it's not. This is more a human relations thing
> than a technical one. Heimdal's error message is just as
> ominous-sounding as the MS DC one.
> I'm sure there are situations where the extra round trip needs to be
> avoided, but not usually.
I agree IHMO, fix the message, its not an error but normal. Let the client trust
the KDC to return the pre-auth options/parameters/seeds as suggested in
If someone wanted to save a few round trips for Kerberos on the network,
a much better place would be to cache (on the client) credentials that are
Every ssh session that delegates, has to get a new TGT to delegate.
Every sshd that receives delegated TGT and uses it to get an AFS
token or maybe an NFSv4 ticket has to get a service ticket for AFS or NFS.
It would be nice if the ssh could cache a TGT and an AFS service ticket,
and then delegate these. It would cut down the load on the KDCs.
mod_auth_kerb with delegation is another example. Every new connection
has to get a new TGT to delegate! That could be one per web page!
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or firstname.lastname@example.org
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439