Greg Hudson <[email protected]> writes: > On Tue, 2011-09-27 at 01:42 -0400, Chris Hecker wrote: > >> 8. For u2u authn, I think the user_user sample is backwards. In other >> words, it's always the client in a normal krb5 application that calls >> get_credentials and talks to the KDC, yet in the user_user sample that >> code is in server.c. > > Again, I could only really speculate as to why it's organized that way. > But even if you reversed the roles, the server would still have to > maintain a TGT which means talking to the KDC (although that could be > done by a separate process).
If you take the viewpoint where the client is the process that calls mk_req, then the roles are backward. If you take the viewpoint where the client is the process that initiates the client-server interaction, then the roles are the right way around. For user-to-user to work, one party has to give another its TGT. In the user-to-user example, I believe the reason the "client" process is the one to send its TGT to the other end is because it's possible to minimize the number of messages that way. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
