From: | Todd Lubin <tlubin@janestreet.com> |
Date: | Wed, 6 Dec 2017 09:30:22 -0500 |
Subject: | Caching Forwarded TGTs |
To: | krb5-bugs@mit.edu |
When requesting a forwarded TGT, a client always talks to the KDC. [krb5_fwd_tgt_creds] always calls [krb5_get_cred_via_tkt].
When ssh is using GSSAPIDelegateCredentials=yes, this generates KDC traffic on every new ssh connection.
You could imagine caching forwarded TGTs to avoid this. If addresses are used, you could cache a forwarded TGT for each destination host.
Is there a particular reason that this is not done? If no, I can submit a patch for this.