[19898] in Kerberos_V5_Development
Re: About proxy_impersonator
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Feb 25 11:36:18 2019
To: Weijun Wang <weijun.wang@oracle.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <a2ef8834-70c2-0777-a854-4bd3a574c321@mit.edu>
Date: Mon, 25 Feb 2019 11:36:06 -0500
MIME-Version: 1.0
In-Reply-To: <D3B0F052-8F71-4844-98FC-7F074BF9EDDF@oracle.com>
Content-Language: en-US
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 2/25/19 2:59 AM, Weijun Wang wrote:
> So gss_init_sec_context() is called using the default credential, it should
>
> 1) notice there is a proxy_impersonator
> 2) find a TGT matching the service name at #2
> 3) find the proxy credential matching the service name at #1
> 4) request ticket to any other service using #2 with #1 as the second ticket
I don't think code should make assumptions about credential order in a
ccache. So I would amend the first three steps to:
1) notice there is a proxy_impersonator; get its value
2) find a TGT for (proxy_impersonator value) -> krbtgt/REALM@REALM
(where REALM is the realm of the proxy_impersonator value)
3) find the evidence ticket for (default principal of ccache) ->
(proxy_impersonator value)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
