[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

Michael B Allen wrote:
> On Thu, 29 May 2008 14:11:32 -0500
> "Douglas E. Engert" <deengert@anl.gov> wrote:
>> mod_auth_kerb with delegation is another example. Every new connection
>> has to get a new TGT to delegate! That could be one per web page!
> I'm curious. Why does mod_auth_kerb need to get a TGT to do
> delegation? Doesn't it just used the delegated credential emitted
> by gss_accept_sec_context?

I did not word that right. The overhead is on the client side and its
KDC. The client side of spnego would get the TGT to delegate to mod_auth_kerb.
But the Kerberos client does not cache the TGTs to be delegated, so ecah
time a spnego connect is made the client will get a new TGT. The delegated
TGT may have channel bindings or some other flags that means it is
different that the the main users TGT.

> Mike


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444