[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: preauth_always option?
From: Michael B Allen <miallen@ioplex.com>
Date: Thu, 29 May 2008 18:09:13 -0400
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, heimdal-discuss@sics.se, KenRaeburn <raeburn@MIT.EDU>, Love Hörnquist Åstrand<lha@kth.se>
In-Reply-To: <483F27EF.2080704@anl.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20080528161545.3b01bbc5.miallen@ioplex.com><92911A79-07C9-448A-BBF7-9306024E0EAF@kth.se><20080528223229.2f8c0aa4.miallen@ioplex.com><483EB7C2.7090305@anl.gov><45A5967E-75F1-4AF8-BB3C-52C7BD6D0B30@mit.edu><33BA8A9E-7F0E-4E59-8E2B-82F5551CCDAB@mit.edu><E1C72B1E-304C-4E37-920C-7BFD8036D99D@jpl.nasa.gov><483EFFE4.70703@anl.gov><20080529173246.0ada6d6f.miallen@ioplex.com><483F27EF.2080704@anl.gov>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Thu, 29 May 2008 17:02:23 -0500
"Douglas E. Engert" <deengert@anl.gov> wrote:

> 
> 
> Michael B Allen wrote:
> > On Thu, 29 May 2008 14:11:32 -0500
> > "Douglas E. Engert" <deengert@anl.gov> wrote:
> > 
> >> mod_auth_kerb with delegation is another example. Every new connection
> >> has to get a new TGT to delegate! That could be one per web page!
> > 
> > I'm curious. Why does mod_auth_kerb need to get a TGT to do
> > delegation? Doesn't it just used the delegated credential emitted
> > by gss_accept_sec_context?
> 
> I did not word that right. The overhead is on the client side and its
> KDC. The client side of spnego would get the TGT to delegate to mod_auth_kerb.
> But the Kerberos client does not cache the TGTs to be delegated, so ecah
> time a spnego connect is made the client will get a new TGT. The delegated
> TGT may have channel bindings or some other flags that means it is
> different that the the main users TGT.

Ahh, yes, but I think that's specific to non non-Windows systems. Someone
really should fix that actually. FF needs the PIPE ccache code I was
playing with.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: preauth_always option?
Next by Date: Re: preauth_always option?
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread