[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: Michael B Allen <miallen@ioplex.com>
Subject: Re: preauth_always option?
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Thu, 29 May 2008 17:02:23 -0500
CC: "Henry B. Hotz" <hotz@jpl.nasa.gov>, heimdal-discuss@sics.se, Ken Raeburn <raeburn@MIT.EDU>, Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <20080529173246.0ada6d6f.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20080528161545.3b01bbc5.miallen@ioplex.com> <92911A79-07C9-448A-BBF7-9306024E0EAF@kth.se> <20080528223229.2f8c0aa4.miallen@ioplex.com> <483EB7C2.7090305@anl.gov> <45A5967E-75F1-4AF8-BB3C-52C7BD6D0B30@mit.edu> <33BA8A9E-7F0E-4E59-8E2B-82F5551CCDAB@mit.edu> <E1C72B1E-304C-4E37-920C-7BFD8036D99D@jpl.nasa.gov> <483EFFE4.70703@anl.gov> <20080529173246.0ada6d6f.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)

Michael B Allen wrote:
> On Thu, 29 May 2008 14:11:32 -0500
> "Douglas E. Engert" <deengert@anl.gov> wrote:
> 
>> mod_auth_kerb with delegation is another example. Every new connection
>> has to get a new TGT to delegate! That could be one per web page!
> 
> I'm curious. Why does mod_auth_kerb need to get a TGT to do
> delegation? Doesn't it just used the delegated credential emitted
> by gss_accept_sec_context?

I did not word that right. The overhead is on the client side and its
KDC. The client side of spnego would get the TGT to delegate to mod_auth_kerb.
But the Kerberos client does not cache the TGTs to be delegated, so ecah
time a spnego connect is made the client will get a new TGT. The delegated
TGT may have channel bindings or some other flags that means it is
different that the the main users TGT.

> 
> Mike
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Re: preauth_always option?
Next by Date: Re: preauth_always option?
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread