 |
 |
Actually, that facility already exists but is not described in the way you have envisioned. Not checking the ip/host name makes the token forwardable (that's the primary objective in the explanation). You can already make tokens forwardable by ending the key name with a '+'; see https://xrootd.slac.stanford.edu/doc/dev50/sec_config.htm#_Toc64492248 especially note 6. The question is whether you want an option to allow this only if the sss token was transmitted using TLS which makes it much harder to steal. It's sort of a toss up because I could have stolen the token off a non-TLS connection and then simply presented it immediately later using TLS which would then make it accepted. So, not much of an improvement in security. In any case, your immediate problem is solvable by using generic forwardable tokens. Let me know. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1486#issuecomment-888006147 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1