What are the risks of using ms2mit to create an API: ccache? What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?
I’m interested in setting up ssh ticket forwarding with PuTTY + the MIT gss DLL provided by KfW (4.1) without having to deal with setting unconstrained delegation trusts on the target hosts’ AD objects. It seems that using Kerberos for Windows with an API: ccache allows me to accomplish this, but now I’m concerned that I may be opening myself up to potential client-side risks which I will need to document and manage somehow. I’ve searched the mailing list archives about this, but mostly the discussions are about getting things to work vs. the potential consequences once they do. Any pointers appreciated.
smime.p7s
Description: S/MIME cryptographic signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
