|From:||Todd Lubin <email@example.com>|
|Date:||Wed, 6 Dec 2017 09:30:22 -0500|
|Subject:||Caching Forwarded TGTs|
When requesting a forwarded TGT, a client always talks to the KDC. [krb5_fwd_tgt_creds] always calls [krb5_get_cred_via_tkt].
When ssh is using GSSAPIDelegateCredentials=yes, this generates KDC traffic on every new ssh connection.
You could imagine caching forwarded TGTs to avoid this. If addresses are used, you could cache a forwarded TGT for each destination host.
Is there a particular reason that this is not done? If no, I can submit a patch for this.