* Magnus Hagander (mha@sollentuna.net) wrote:
> > > The way our Kerberos implementation is done, it does *not* validate
> > > the server, just the client. If you want server
> > verification, you must
> > > use a combination of both Kerberos and SSL.
> >
> > Eh? We use mutual authentication in Kerberos...
>
> We do? That's good then :-) I was told by someone that we don't. Never
> really checked into it, since all my installations already use SSL for
> that. So, I'll retract my comment ;)
We pass in 'MUTUAL_REQUIRED' to krb5_sendauth and check the return value
of it correctly... I'd be really curious why 'someone' felt we weren't
doing mutual authentication... I don't see anything obvious..
Thanks,
Stephen