[Freeipa-devel] Notes on server to server sasl
Rich Megginson
rmeggins at redhat.com
Fri Oct 31 16:26:35 UTC 2008
Simo Sorce wrote:
> On Fri, 2008-10-31 at 09:18 -0600, Rich Megginson wrote:
>
>
>>> The credential cache contains the expiration date of the credentials,
>>> you should be able to check without contacting the KDC (and we do not
>>> want to contact the KDC at all, unless we need to acquire a ticket).
>>>
>>>
>> So if current datetime < cred expiration datetime, then the creds are
>> ok? No other validation needs to be done?
>>
>
> Usually it is safe to assume so.
> The only exception is someone generating a new key for the service, and
> replacing the service keytab instead of appending to it (so that the
> older key material with the previous kvno is not longer available to the
> server which cannot verify older credentials still valid).
>
> In this case you should get back an auth error. You may decide at this
> point to discard the current ticket and try to acquire a new one.
>
Ok. Hmm - seems that my code will need to add some further complexity.
Right now it just takes the first entry from the server's keytab file
and uses that for authentication. Is it possible the keytab may contain
entries that cannot/should not be used?
> Simo.
>
>
More information about the Freeipa-devel
mailing list