[Freeipa-devel] Notes on server to server sasl
Simo Sorce
ssorce at redhat.com
Fri Oct 31 17:35:01 UTC 2008
On Fri, 2008-10-31 at 10:26 -0600, Rich Megginson wrote:
> Simo Sorce wrote:
> > On Fri, 2008-10-31 at 09:18 -0600, Rich Megginson wrote:
> >
> >
> >>> The credential cache contains the expiration date of the credentials,
> >>> you should be able to check without contacting the KDC (and we do not
> >>> want to contact the KDC at all, unless we need to acquire a ticket).
> >>>
> >>>
> >> So if current datetime < cred expiration datetime, then the creds are
> >> ok? No other validation needs to be done?
> >>
> >
> > Usually it is safe to assume so.
> > The only exception is someone generating a new key for the service, and
> > replacing the service keytab instead of appending to it (so that the
> > older key material with the previous kvno is not longer available to the
> > server which cannot verify older credentials still valid).
> >
> > In this case you should get back an auth error. You may decide at this
> > point to discard the current ticket and try to acquire a new one.
> >
> Ok. Hmm - seems that my code will need to add some further complexity.
> Right now it just takes the first entry from the server's keytab file
> and uses that for authentication. Is it possible the keytab may contain
> entries that cannot/should not be used?
You manually parse the keytab ?
In a keytab you can have entries for many different services, as well
multiple entries for the same service but with different kvno.
The highest kvno is the newest one and should be the one to be used.
Older keys can be used only to accept valid tickets in the time-frame
that the old keys are still valid.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list