On 5/17/2010 7:37 PM, Richard Johnson wrote: > > The misbehavior: > > When a TGT with the Renewable flag set is used to obtain an ftp or host ticket > on an MIT Kerberos client, that ftp or host service ticket also has the > Renewable flag set. I call this misbehavior as it seems nonsensical. If an > ftp or host service ticket is expired, a new one will be obtained; there's no > need to make them renewable.
It would only be nonsensical if the assumption that the obtained service ticket would never be used without possession of the TGT. A renewable service ticket permits that ticket to be handed off to a process which is meant to do a specific task (local or remote) without the dangers inherent in delegating a TGT. Jeffrey Altman
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
