Hello Charles,
> I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac
> uses Heimdal.
SPNEGO has really a low security level. I am surprised this is considered
acceptable for a https proxy.
We are working on two better solutions, with software that classifies only
Hello,
I am programming to the kadm5 API, and a few things are not clear to me.
Can anyone help?
1.
There is some mention in the code about old and new GSS-API
authentication (kadmin options -O and -N to force). What is the
difference, and is the new style still based on GSS-API?
2.
IIRC, a
Hi,
Is there an API to extract AuthorizationData from GSSAPI credentials
that use Kerberos under the hood? I cannot find it in the RFCs.
Thanks,
-Rick
Kerberos mailing list Kerberos@mit.edu
Hello,
Is there a registry or registrar for the ad-type values for
Authorization Data?
I assume documentation in a static place is appreciated, perhaps even
required. To me, an Internet Draft would seem reasonable.
Do people generally advise locally meaningful values in ad-data fields,
even
Hey,
> Has MIT kerberos implemented pkinit with elliptic curve certs/keys? Some
> initial searching points me to an informational ietf RFC posted out there,
> but nothing official.
FWIW, in the ARPA2 project we're working on Realm Crossover (based on
DANE/DNSSEC) which uses ECDHE. The
t, and I'm
wondering if it would do good or harm when rolling out remctl in that work.
Cheers,
Rick van Rein
OpenFortress
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi Greg,
You're as thorough as always :)
> * Ephemeral keys (ticket session keys, initiator and acceptor subkeys)
> are generated randomly by one party and sent to the other inside an
> encrypted message. Do we extend the protocol so that these keys can be
> wrapped in parent keys within the
Hi,
I've looked into the mechanism for configurable crypto backends and in
particular the NSS backend, which is close to PKCS #11.
What I like about PKCS #11 is that it can conceal keys from the libkrb5
library, and thereby from the application's reachable memory. This is
not how the NSS crypto
Hi Jordan,
> I looked into it, but my negotiate messages look like this:
>
> "Negotiate YIID..." which I think means that they're kerberos messages?
You should base64-decode it [Section 4.1 of RFC 4559] and dump that as GSSAPI
content which, at least in this early phase, is DER-encode. You
Jordan,
> I haven't tried to implement the continuation of the context yet, because it
> will be a fair amount of work, so I thought I'd email the group to ask
> whether it's likely that there is just a problem with my setup, or if I'm
> mistaken and it is possible to get a continue_needed when
Hey,
>> To be clear, the whole point of what I'm proposing is that the client
>> would have ZERO dependencies. Being able to do proper auth and then
>> get a TLS session that uses the crypto context established during auth
>> instead of traditional certificate would be a big deal.
The general
Hey Mike,
> But it would be even better if the client could (or had the option to)
> do authentication with the service directly and thus eliminate the
> numerous dependencies for clients (DNS, KDC access, stale tickets,
> time sync...).
I doubt you could use Kerberos without these components
sor to
https://tools.ietf.org/html/draft-vanrein-tls-kdh-04
We also have plans for automatic realm crossover including client
identity pseudonymity.
But, alas, this is not ready to roll out yet. We're still finishing the
work as we speak.
Cheers,
Rick van Rein
for the InternetWide.org / ARPA2
Hey Tim,
>> Have you tried using kinit without --canonicalize against AD, while
>> playing around with the case?
> Yes, kinit NAME results in NAME@REALM principal in cache. kinit name results
> in name@REALM. This is what I am trying to avoid since I want a consistent
> principal name using the
Hi Tim,
> When I configure Kerberos on a Mac OSX system, and login to the Mac
> and then run klist I see a principal name which is lower case but in
> AD the principal name is mixed case.
I heard before that AD accepts case changes (hearsay). Not sure if that
only reflected on the realm, or
OK,
Also note that the hash is not SHA1 but HMAC-SHA1, which is much stronger. I
didn't make that clear before.
-Rick
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hey,
You cannot mix any set of algorithms you want, but you need a predefined
encryption type. Compare it to TLS' ciphersuites if you like.
`
The standardised list is available on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
The closest to what you are asking
he KDC due to these setup actions.
Cheers,
Rick van Rein
OpenFortress.nl / ARPA2.net
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hello,
I have reported a feature request with GnuTLS, suggesting it to support
PKINIT certificate generation with certtool,
https://gitlab.com/gnutls/gnutls/issues/62
Nikos Mavrogiannopoulos is graciously helping out, and has created a
proposed commit,
Sibu,
Not sure what you are trying to do; GnuTLS implements TLS and MIT
kerberos normally does not use TLS, so there is no overlap of interest.
Nettle can be found at
http://www.lysator.liu.se/~nisse/nettle/
What the two have in common is a set of basic cryptographic routines,
which in the case
Hi Sibu,
I would have been surprised if that works; you can only choose from a limited
set of options and nettle is not included I think.
For compatibility with Shishi you don't need it, the crypto-algorithms are
compatible across implementations.
It may be a bit farfetched what you want, but
Hi Pascal,
> I was able to have it to work (with firefox) when calling simple URI
> such as http://host.domain.tld but not when calling
> http://host.domain.tld/test_dir.
That surprises me. I've been putting host.fqdn.names and .domain.names
into the network.negotiate-auth.trusted-uris field in
Hi Bryce,
> I may be asking a question which exposes either my ignorance or lack
> of imagination, but is there a reason a kx509 (RFC6717/RFC4556)
> certificate wouldn't work? Wouldn't it be easier to add support for
> these previously defined extensions?
>
I'm happy to answer that of course; but
Hello,
Attached is an X.509 certificate holding a Kerberos Ticket as public key
info and an Authenticator with the checksum SHA1(TBSCertificate) as a
certificate self-signature. A demo that generates such self-signed
certificates from within a MIT krb5 environment is on
Hello,
In an attempt to keep a possible extension in userspace, I'm looking to
get to the e-data after an error message. IIRC, the krb5 API only
releases that information with krb5_init_creds_get_error() but that does
not seem to be the right extraction function after krb5_get_credentials().
I
Hi Vishal,
> I think there is some issue with keytab file , I see multiple kvno in
> keytab i.e 74 & 75. Is it practical?We have 1.7 release.
This is not uncommon; these are key version numbers. They help to distinguish
various keys assigned to a particular principal. RFC 4120 says
Key
Hi Simo / others,
>>> What I'm left wondering is, if the client's KDC knows what delegations
>>> are permitted, as is the case with FreeIPA, is it not simpler to pass on
>>> the additional tickets for smtp/ and imap/ in an AD structure in the
>>> webmail ticket?
>> This is a potential
Hi Simo,
> I guess I need to ask you for a detailed example of a transaction to
> understand what you are aiming to.
Gladly, thanks :)
An example of use I have in mind is a party owning a domain name, based on
externally hosted components from online providers, all secured and linked
together
Hi,
> There are 2 different approaches for Constrained Delegation, one where
> Access control is applied at the KDC level, and one that relies on the
> receiving service to apply access control.
>
> When using an MS-PAC you have an AD element that tells you whether the
> ticket is the result of
Hi,
>> What I'm left wondering is, if the client's KDC knows what delegations
>> are permitted, as is the case with FreeIPA, is it not simpler to pass on
>> the additional tickets for smtp/ and imap/ in an AD structure in the
>> webmail ticket?
>
> This is a potential optimization I have been
Hi Simo / others,
Thanks for your reply. I found KILE and PAC from SFU, but am having a
hard time figuring out what goes where, and whose responsibilities lie
where. That's not really obvious from these specs :-S
>> I know that the security is based on a PAC, but it is unclear where it
>> is
Hello,
Does anyone on this list have S4U2Proxy or "Constrained Delegation"
experience?
I know that the security is based on a PAC, but it is unclear where it
is enforced -- in the benevolent service, or in the KDC.
And, if it is the KDC, which one if client and service realms differ?
The
Hi,
Nordgren, Bryce L -FS wrote:
I could, but I'm not certain the MIT Kerberos KDC (to which kinit is
connecting) knows how to canonicalize.
It does not. It will however handle usernames with an embedded @ as any
other, as you've already found.
Boy if I could get user principal mapping
List,
I would like to upgrade my inter-realm trust key from DES to AES.
I've always wondered...
Those descriptions that explain that we need a ticket krbtgt/A@B to
allow clients in realm B to access services in realm A (right?) seem to
forget about one thing, namely to avoid failures
Hello,
MIT krb5 features a CApath setting through which an external party can
help to find a path to realms that are not locally configured /
crossed-over. Does Windows AD/DC have a similar feature, and how is it
setup?
For MIT krb5 I believe it's not possible to relay anything unknown
through
Hello Praveen,
The following information says it is expired,
http://k5wiki.kerberos.org/wiki/Projects/Services4User
and points to,
http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation
which states This project was completed in release 1.8.
Further below, it says:
We provide a
Hello Praveen,
We have a hadoop cluster that uses MIT Kerberos for perimeter
security. The Kerberos principles are stored in Oracle database which is
the backend for KDC.
Does this mean that without changing my backend to LDAP I cannot use
S4U features.
I don't know about an Oracle backend,
Hi Nico,
Thanks.
See the IETF ABFAB WG. They have a GSS mechanism that can do what you want.
I’m not sure what you mean — they have GSS-EAP of course, but is that
what you mean?
Per-group principal names are not that useful, especially if you have
many group memberships. First, it means
Hi Greg,
Thanks once more for an extensive answer! It really helps that you point out
the
paths, and even already balance pros and cons.
I also don’t know if Kitten will be interested, but we’re willing to help out
if this is
the case. Since we’re doing this for other credential types, it
Hello,
Simo Sorce wrote:
* Is this concealment of user names considered a good idea?
It may be useful
I now realise I didn’t state my purposes:
* the ability of a remote service to configure access to roles/groups, and
leave the assignment of individuals to roles/groups to the sender
Hello,
I’ve been looking for ways of concealing principal names with Kerberos. I
think this
is of interest in relation to Internet-wide realm crossover with Kerberos. The
only
way I found are the anonymity mechanisms of RFC 6112, but that provides too
little
information to the service to
Hello again,
I had a few more thoughts on this idea of yours to use Kerberos for
your door locks:
* When you apply cross-realm tactics (which we are working on for
Kerberos, http://realm-xover.arpa2.net/kerberos.html ) you have an
identification of your visitors, even when they are granted
Hi Simon,
First off, Thanks for all your ideas!
Your idea inspired me. I’m assuming this is a hobby project, as you probably
gathered.
The only problems with Kerberos are
1) it requires the user to have internet on his phone
There are many ways of bypassing that…
- you could use
Hi Simon,
First off, Kerberos-enabled front doors sound really cool to me.
It would be a lovely showcase of the protocol, and although it’s
not mainstream thinking it may turn out to be a genius idea.
But you and your visitors would need to setup a KDC link, get a
TGT and then a service ticket.
Hi Paul,
This looks pretty complete to me. I haven’t done this sort of thing yet but I
also figured
it out like you did. Would be great to hear your experiences on this list.
-Rick
Kerberos mailing list Kerberos@mit.edu
Hi,
Kerberos is not a complete identity solution.
As I understand Kerberos, it IS…
* a complete local authentication platform
* a statically configurable realm-xover authentication platform
…and it IS NOT…
* an on-the-fly realm-xover authentication platform
* an authorisation platform
Hi,
it appears that general AVPs for RADIUS / DIAMETER are supported — and that
includes RADIUS’ support for Kerberos authentication. Except that it is not
supported by the IANA registry,
http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10
I think this is simply
Hi Frank,
I didn't read the document, but from the name of it the EAP-GSS method I
noted earlier would be a true Kerberos authentication -- the client has to
pass on a kerberos token, not a password. It sounded like that's what you
were going after.
Yes, it is, ideally.
I'm wouldn't be
Hey,
There were numerous advantages to this approach for our environment, however
we never deployed it. I should have written a brief paper at the time.
You still may ;-)
It would require a new SRV record, and it would confuse Kerberos clients, I
suspect. But it’s an interesting angle.
Hi Frank Hugh,
Thanks. It sounds rather silly to me, to build such a thing and conceal the
protocol — especially with Apple not active on the server market, an open
protocol would seem the best choice?
There is one potential other link I found, but I’m not sure if it works —
RADIUS has a
Hello,
I was surprised to find Kerberos authentication for both PPTP and L2TP on Mac
OS X. I have been looking for specs, including for EAP, but failed to find
any. Am I overlooking sth?
Thanks,
-Rick
Kerberos mailing list
Hi Lars,
Disclaiming any experience with AD; but this sounds like the domain join
might have replaced the keytab that held the old service ticket, or perhaps
it is now unreachable because AD has renamed the realm.
SASL traces should be visible, at least if you’re not running inside TLS, which
is
Hi,
Messing up the default keytabs would also silence my speakers immediately,
since the music is served by kerberized NFS4.
Indeed, that sounds like the keytabs are fine.
My question was about extracting the principal used for authentication from
the SASL trace. This hopefully is not AD
. Mixing the
two will probably lead to mutual weakening, so I am thinking that it might be
useful to split the two, but ensuring that they remain as compatible as can be.
Does that sound wise to you?
Cheers,
Rick van Rein
OpenFortress.nl / ARPA2.net
Hello all,
Based on the responses in this thread, I have drafted a proposal for TXT
records, and posted it to Kitten.
Any feedback on this is welcome and helpful; but Kitten is probably the best
place for it.
Thanks,
-Rick
After a discussion on kerberos@mit.edu about the TXT records that
Hi Jeffrey,
Thanks!
Speaking as the other author of draft-ietf-krb-wg-krb-dns-locate-03, I
have no objection to revisiting the discussion of using TXT records
Kerberos in order to further reduce the need for client side
configuration. However, I would be unhappy if the implemented
Thanks Ken Benjamin,
Your combined response indicates that there is no clear reason that TXT
records ought to stay out, and indeed, that the recent introduction of
DNSSEC into the landscape means it could have some re-evaluation.
That’s pretty much what I wanted to know. No need to dig up
Hi Greg,
I’m finishing a TLS-with-krb5-and-DH proposal which relies on this record.
Without it, there is no chance of knowing how to crossover to other realms
(the mechanics of that being unsettled). I may now have to introduce these
TXT records in that specification.
Is this need
Hello,
Most of us know about the practice of the _kerberos TXT records in DNS; this
can help to translate a servername to a REALM name, which is especially helpful
if we want to crossover to other realms. This is coded into MIT krb5, and I
bet many of our domains implement it.
A grep on my
and
security. TLS-over-TCP enforces ordering of independent packets, and
DTLS-over-UDP isn’t reliable. SCTP is just right, after adding security; and
Kerberos is more sane than (D)TLS in our architecture.
Thanks,
Rick van Rein
InternetWide.org / OpenFortress.nl
*blush*
I solved my own question!
I found that the Kerberos mechanism for GSS-API includes a sequence number
that is incremented with each wrapped or MIC’d message. I assume that the
receiving side would verify that sequence number, and drop any thing too old,
and perhaps also anything
Hi,
Does Kerberos5 have a ticket to ascii converter so someone can see
what a ticket looks like in plain text?
You might use any ASN.1 parser to see the structure, without it actually being
spelled out in terms of the Kerberos field names.
-Rick
Hi,
Does Kerberos5 have a ticket to ascii converter so someone can see
what a ticket looks like in plain text?
You might use any ASN.1 parser to see the structure, without it actually
being spelled out in terms of the Kerberos field names.
Is the file format of the ticket cache in
Hello Vanna,
If your backend store is LDAP, I would expect it to be portable. You can
actually try that by having multiple KDCs use the same LDAP, because the KDC
has readonly access. You could temporarily shut down the write actions during
the transition (kadmin, kpasswd) but even there I
Hello Benjamin,
Am I correct that the kfw-4.0 GUI does not support a Canonicalisation
option for the principal name?
I'm not sure I understand the question correctly. Are you asking about
RFC 6806 name canonicalization, as used for (e.g.) enterprise principal
names?
Yes, that’s what I
Hello,
Am I correct that the kfw-4.0 GUI does not support a Canonicalisation option
for the principal name?
I cannot find anything of that nature on
http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0/kfw-4.0-help/index.html
Thanks,
-Rick
Kerberos
Hello,
I am trying to create an enterprise principal with kadmin.local; but I cannot
find what the proper procedure is.
What fails is naively doing
addprinc u...@example.com@EXAMPLE.COM
I do succeed when I instead do
addprinc user\@example@example.com
I did find that the
Hello Wendy,
How do the tickets remember the KDC?
They don’t.
A ticket has a realm, which is looked up in your local kerberos configuration,
or if you’re brave enough to trust DNS without DNSSEC in place, in there (after
mapping the DNS name to a realmname). The same path reveals the choice
Hi Olga,
Why? How can I use both at the same time?
What is shown is your current identity — that’s only one.
Try kswitch (possibly with -i) to switch what is your current identity. The
others are still available, but not shown.
-Rick
Hello Simo,
I have recently released a new module for Apache called mod_auth_gssapi
to modernize a little bit on the ancient and substantially unmaintained
mod_auth_kerb.
Splendid, thank you very much!
Have you considered including advanced facilities like S4U2Proxy
(and perhaps S4U2Self)
to the draft. Just send me the source if you’d
appreciate that.
(*) List, if this discussion should (or should not) take place here, let me/us
know. I’m not sure what is desired.
Cheers,
Rick van Rein
OpenFortress / ARPA2.net
## Summary and positioning
• PKINIT and kx509 achieve opposite effects
hope this will be of interest to the Kerberos5 community.
Cheers,
RIck van Rein
OpenFortress / ARPA2
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi Nico,
But mainly the appeal of this approach is that the pieces needed all exist.
Are you talking of http://www.citi.umich.edu/projects/kerb_pki/ as your kx509
implementation? It appears to be based on Kerberos4…
-Rick
Kerberos mailing list
into certificate distribution
problems. Or was this not what happened to it? I cannot find anything but
hopes and promises; why has it never advanced into an RFC?
Thanks,
Rick van Rein
OpenFortress
Kerberos mailing list Kerberos@mit.edu
Hello Bryce,
I’m not sure what status postings on the FreeIPA wiki have — is this like an
official project, or is it a place where you develop your thoughts and maybe
someday propose an enhancement?
I've spent a bit of time pecking away at this over the last six months or so.
Current
mayhem that it
provokes…
I’ll get back to you after reading your draft. Thanks very much!
Cheers,
Rick van Rein
OpenFortress
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi,
The KDC has no way of knowing if DNS is correct or wrong,
It could of course use a DNSSEC-aware resolver.
nor would it
trust the DNS
That is a setting with MIT krb5, and an admin could feel safe to enable it
after setting up DNSSEC.
even if it were able to ask a sensible question out
Hi,
DNSSEC is an awesome idea for clients, but has really nothing to do with
checking if AS requests should succeed or not.
When it comes to AS requests, from the KDC POV all that really matters is
whether you have a valid key or not.
When using pre-authentication (which I haven’t studied
Wendy,
Tickets are not renewed automatically because you need to demonstrate knowledge
of the password on a regular basis; someone who somehow gained illegal access
is thereby always constrained to a short time slot.
Service tickets are requested upon first contact with a server; if you don’t
Hi.
Does Kerberos have a way to show me the data in /etc/krb5.keytab in ASCII
form?
ktutil, subcommands rkt and l.
-Rick
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hello,
Thanks for your responses.
This arrangement seems to suggest that the delegation constraint is
something that will be managed for all principals by the KDC explicitly,
rather than the end user being able to decide (or even know?) what
explicit delegations are being offered. Am i
these questions answered.
Thanks for any help you can give,
Rick van Rein
OpenFortress
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Thanks Greg,
This clarifies the last pieces. Dare I suggest upgrading the (online)
documentation?
Thanks Simo,
For adding an interesting future angle to this story
-Rick
Kerberos mailing list Kerberos@mit.edu
Hi Simo,
In the default case you generally allow all in these situations.
You mean, you’d like to be able to add the ACL class, no further attributes and
then let everyone in? Why then mention the ACL, I wonder.
The rest of the ACL design says “…and if none of the rules match, than the
Hello,
I’m trying to understand how to configure Constrained Delegation in the KDC. I
think I got the GSSAPI client side part, notably S4U2Proxy, but I can only seem
to find proxy / proxiable flags in the KDC setup. And these don’t have
undisputably clear semantics, from what I’ve read.
these matters? Is this going in in an IETF WG?
Rick van Rein
OpenFortress
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi Greg,
Thanks, the terminology has indeed been confusing to me.
I suppose things are as they are — or, as they have grown.
Thanks,
-Rick
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hello Greg,
What are you looking at specifically? GSSAPI exchanges begin with the
client.
I thought you might say that. I was looking at SPNEGO, which embeds GSSAPI but
where the initiative is (usually) taken by the server. It’s a waste that
SPNEGO doesn’t communicate a challenge at that
Hello,
GSSAPI-based protocols have an option of challenging a client with a counter
value. This is done after the client submits a ticket.
Looking at SPNEGO (and probably other protocols as well) I see that the server
can take the initiative for an GSSAPI exchange, and when doing so, it could
Hi,
Hope this isn't a silly question. Is there a command/tool that tells us
which is the KDC for a particular realm ?
You’d normally guess that the realm name is a DNS name, as is suggested in
manuals, and then look it up (no lowercase casting necessary, as DNS is
agnostic to case). You
Hello,
Hope this isn't a silly question. Is there a command/tool that tells us
which is the KDC for a particular realm ?
Silly me, I only gave half an answer.
Once you have established that the realm of a DNS zone is the right one, you
can rely on the KDC mentioned in SRV records with
Hello,
When studying Kerberos literature, I sometimes bounce into statements regarding
the well-documented shortcomings of Kerberos.
I am aware of the problems due to weak principal passwords, and of the
aggrevation of this risk due to the lack of Perfect Forward Secrecy. I
understand that
(or under this location/directory) and gain access to all the
backend services available to the user?
Rick van Rein
OpenFortress
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hello Greg,
Thanks so much. The documentation leaves me puzzled, but you surely compensate
for it. Even in the weekend!
I've progressed (and documented it, hopefully serving others) but I get stuck
in the KDB/LDAP code. Are there any requirements from my configuration or
environment in
Oh,
Invalid credentials is a string from the OpenLDAP library (corresponding to
LDAP_INVALID_CREDENTIALS), not from our source code.
That's helpful to know! Indeed, auth access granted just means access is
permitted but not succeeding auth -- except that LDAP gives no further errors.
We
Hello,
Apperantly not all enctypes can function as master key, notably
aes256-cts:normal cannot.
aes256-cts can definitely be used for the master key, and has been the
default for the master key since 1.8. Something else is going on here.
Thanks Greg -- with the string you supplied it
Hi,
I've been trying to setup Kerberos on LDAP for several days now, on and off,
and I have to say I'm a bit disappointment by the quality of the error
messages, and what online searching for them yields. I find myself reading
source code to see where errors come from. In the hope that it is
Hello Hans-Juergen,
Are there any plans to implement the Kerberos STARTTLS extension (RFC 6251)?
I'd be interested to learn why you would like to have this, given that Kerberos
is already designed to run over untrusted networks?
I'm architecting Kerberos into http://networkeffectalliance.org/
the
reason I asked -- curiosity about pros.
Thanks,
Rick van Rein
OpenFortress
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hello Greg,
Thanks for clarifying.
It is common for a service to contact another service, after using its
long-term key to acquire a TGT.
Great. And that would be a TGT in its own name, as I understand it.
It is less common for a user or service to contact a user, though it is
100 matches
Mail list logo
