Mats Erik Andersson <g...@gisladisker.se> writes: > The patch in this thread intended to address this, and the matter still > is bound by the administrator's decision. Perhaps the factor five should > be replaced by ten as breaking point, but it was chosen as a possible > mode of detecting an exsessive time limit. I do not now for sure. Let me > add that another idea for a solution was stated in [1], but it never > caught any attention.
Oh, I see. I'm actually surprised that *all* Kerberos clients don't send an empty ticket lifetime by default. That seems like a sensible thing to do, since then the client gets whatever the server default is. > Luckily, collecting my thoughts for this answer, I have found I third > way of attack, which seems to be what you are looking for. It copes in > the desired way with the Solaris clients, and leaves all other > untouched. Yes, this looks right and like what I would expect (assuming that ticketlife is the server configuration for the maximum ticket life). -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> _______________________________________________ Help-shishi mailing list Help-shishi@gnu.org https://lists.gnu.org/mailman/listinfo/help-shishi