[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: preauth_always option?
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Thu, 29 May 2008 14:11:32 -0500
CC: heimdal-discuss@sics.se, Ken Raeburn <raeburn@MIT.EDU>, Michael B Allen <miallen@ioplex.com>, Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <E1C72B1E-304C-4E37-920C-7BFD8036D99D@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20080528161545.3b01bbc5.miallen@ioplex.com> <92911A79-07C9-448A-BBF7-9306024E0EAF@kth.se> <20080528223229.2f8c0aa4.miallen@ioplex.com> <483EB7C2.7090305@anl.gov> <45A5967E-75F1-4AF8-BB3C-52C7BD6D0B30@mit.edu> <33BA8A9E-7F0E-4E59-8E2B-82F5551CCDAB@mit.edu> <E1C72B1E-304C-4E37-920C-7BFD8036D99D@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)

Henry B. Hotz wrote:
> I think Michael is on the right track.
> 
> IMO the real problem is that the log entry for no-preauth makes it sound 
> like it's an error when it's not.  This is more a human relations thing 
> than a technical one.  Heimdal's error message is just as 
> ominous-sounding as the MS DC one.
> 
> I'm sure there are situations where the extra round trip needs to be 
> avoided, but not usually.

I agree IHMO, fix the message, its not an error but normal. Let the client trust
the KDC to return the pre-auth options/parameters/seeds as suggested in
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-07.txt

If someone wanted to save a few round trips for Kerberos on the network,
a much better place would be to cache (on the client) credentials that are
delegated.

Every ssh session that delegates, has to get a new TGT to delegate.
Every sshd that receives delegated TGT and uses it to get an AFS
token or maybe an NFSv4 ticket has to get a service ticket for AFS or NFS.
It would be nice if the ssh could cache a TGT and an AFS service ticket,
and then delegate these. It would cut down the load on the KDCs.

mod_auth_kerb with delegation is another example. Every new connection
has to get a new TGT to delegate! That could be one per web page!

> 
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: preauth_always option?
Next by Date: Re: preauth_always option?
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread