On Fri, 2015-03-13 at 14:55 +0100, Robert Wehn wrote: > There is a bug report/suggested patch which seems to make it possible > but never seemed to get into the kernel: > http://www.spinics.net/lists/linux-nfs/msg34236.html > > What is your opinion to this behavior? > Do you think this is reasonable from kerberos point of view, or do you > also think this needs to be changed?
This isn't Kerberos's fault, but NFS's; it's how it avoids having token management like AFS uses (extra aklog step to register ticket with filesystem and unlog to deregister it). Personally, I prefer AFS's way of dealing with it; the whole business about snooping ticket caches and caching its own private copy is concerning security-wise and seems like it would easily become confused. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix openafs kerberos infrastructure xmonad http://sinenomine.net ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
