On Tue, 2011-08-09 at 19:34 -0400, Chris Hecker wrote: > I think I'm confused about the kvno, then. Is that because the KDC will > always use the latest kvno, so the code just sends the latest it's got > and hopes it works (and if not, it means the keytab needs updating)?
More or less. You have to know the current key for an AS exchange (that may not be true for certain kinds of preauth, but it's the general design) so there's no need for a kvno. > But, for other kinds of stuff, like decoding tickets from clients, the > server checks the kvno since that's what allows tickets older than a > recently changed key to still work? Right. If a server re-keys while I already have a ticket for it, the kvno lets the server pick the correct key for my ticket even though it's not current. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
