>I think this has all the elements Jeff thought were essential >except for: > 1) a text reason for no <-- not seeing what you would say -- "no means no"?
Let's say, for example, you wanted to require hardware preauthentication for some services (I doubt _you_ would, but that is something that we do). You could return a message that says, "Hardware preauthentication is required to access this system". Or you might want to return a message of the form, "Kerberos principal [EMAIL PROTECTED] is not permitted to login to account hascall". Or you might want to return the message, "You're fired, piss off!". Or ... well, you get the idea. I could maybe see the argument that this might be a security issue; if you think that's the case, the hypothetical authz server could simply return "Permission denied" for every failure. But if the error text is returned by the server, that gives you the option of adding more useful error messages in the future. Me, I've found that the more useful of an error message you can return, the easier time you have in terms of user support. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
