[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: Re: client side password store best practices?
From: Greg Hudson <ghudson () MIT ! EDU>
Date: 2011-08-09 23:52:38
Message-ID: 1312933958.16540.10.camel () t410
[Download RAW message or body]
On Tue, 2011-08-09 at 19:34 -0400, Chris Hecker wrote:
> I think I'm confused about the kvno, then. Is that because the KDC will
> always use the latest kvno, so the code just sends the latest it's got
> and hopes it works (and if not, it means the keytab needs updating)?
More or less. You have to know the current key for an AS exchange (that
may not be true for certain kinds of preauth, but it's the general
design) so there's no need for a kvno.
> But, for other kinds of stuff, like decoding tickets from clients, the
> server checks the kvno since that's what allows tickets older than a
> recently changed key to still work?
Right. If a server re-keys while I already have a ticket for it, the
kvno lets the server pick the correct key for my ticket even though it's
not current.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic