On Fri, Jul 22, 2011 at 7:04 PM, Greg Hudson <[email protected]> wrote: > On Fri, 2011-07-22 at 18:10 -0400, Nico Williams wrote: >> Why are you not using the GSS-API? > > Chris started out by asking about user-to-user auth, so I didn't > redirect him to GSSAPI since, as far as I know, GSSAPI doesn't have a > story there (for the krb5 mech, at least).
Indeed, the krb5 mech has no story here. I'm thinking we should have the initiator send a bogus AP-REQ with a new auth-options flag. If the server understands it it would respond with a KRB-ERROR with the TGT in the e-data, else with a plain KRB-ERROR. It'd be nice to also make KRB_AP_ERR_USER_TO_USER_REQUIRED a retriable error, with the TGT in e-data. Again, a new auth-options flag would help here. (But this error is not likely to be very common at all. Instead I imagine that clients will get KDC_ERR_MUST_USE_USER2USER and so they'll just know to ask for a u2u TGT.) Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
