[20078] in Kerberos_V5_Development
Re: Constrained Delegation with certificate and GSS API
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 6 00:46:37 2020
To: Puran Chand <puran157@gmail.com>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <44c22ddd-cd0c-aca6-e065-db109732eca5@mit.edu>
Date: Wed, 6 May 2020 00:46:21 -0400
MIME-Version: 1.0
In-Reply-To: <CAKnEmRK_KdfRVq8WfVH32WDK5iUXrUvO2CpGii1jrBPiea4rsg@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 5/6/20 12:25 AM, Puran Chand wrote:> I was wondering if there is
similar API to perform same with
> user-certificate this time instead of UPN.
> I hope it should send a AS-REQ with PA-DATA P4-S4U-X509-USER with
> certificate (with my limited knowledge).
There isn't yet. Release 1.18 included a lot of work on the internals,
as well as a kvno option (-F), but we haven't added any API for this
operation yet. There is a work-in-progress pull request from Isaac
Boukris here:
https://github.com/krb5/krb5/pull/1063
There may be alternative designs for the API; for instance, we could
perhaps instead define a new name type and use
gss_acquire_cred_impersonate_name().
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
