[20101] in Kerberos_V5_Development
Re: Alternative proxy-creds API for constrained-delegation
daemon@ATHENA.MIT.EDU (Nico Williams)
Tue Jun 2 18:03:56 2020
Date: Tue, 2 Jun 2020 17:03:32 -0500
From: Nico Williams <nico@cryptonector.com>
To: Isaac Boukris <iboukris@gmail.com>
Message-ID: <20200602220330.GS7856@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAC-fF8QCq6vTP6jMHS7MfnDUSieB7kDfgx+0HPY1eYWnKjWwFg@mail.gmail.com>
Cc: Simo Sorce <simo@redhat.com>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
heimdal-discuss@heimdal.software
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, Jun 02, 2020 at 08:35:14PM +0200, Isaac Boukris wrote:
> What does the daemon do once it get a proxy-creds upon accepting with
> GSS_C_BOTH? Do we have an API to do init_sec(), just get the ticket,
> extract it and return it to the caller, maybe krb5 api? How does the
> caller gets it injected to its cache, would that be possible?
If you get a deleg_cred_handle, you should be able to use it in the same
process without further ado -- no changes needed to code calling
gss_init_sec_context(), and no gss-proxy should be needed either.
I don't think we even need GSS_C_BOTH to have been used to acquire the
acceptor credential. What is needed is that the acceptor process have
access to the service's credentials, which clearly it must have in order
to accept.
My preference is to not make GSS_C_BOTH use a requirement on the
acceptor side.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
