Sergei Gerasenko <gera...@gmail.com> writes: > Will keeping an access log slow me down much, do you know?
Yes, you may want to tune syslog or whatever you're using for your KDC logging, although MIT is a lot better than Heimdal in that regard (Heimdal is very verbose). I generally disabled sync to disk on the syslog log file that the KDC logging was routed to. > For that matter, is there a benchmarking tool for KDCs? Not that I'm aware of. I usually just rolled my own by calling kinit with a keytab and then kvno to get service tickets. > Ok, it’s just that I see everywhere > (e.g. https://en.wikipedia.org/wiki/Kerberos_(protocol) > <https://en.wikipedia.org/wiki/Kerberos_(protocol)>) that the initial > TGT response includes a session key that the host and the service server > will share. So that’s what got me thinking that once a TGT is retrieved, > the client should request a service ticket using the same KDC. But like > I said, I’m total newb. The TGT contains both the session key and a copy of the session key encrypted in the KDC's private key, which is shared between all of the KDCs as part of the normal database, and the client always provides that encrypted copy of the key back in subsequent protocol exchanges. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
