[20109] in Kerberos_V5_Development
Re: Alternative proxy-creds API for constrained-delegation
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Wed Jun 3 08:16:17 2020
MIME-Version: 1.0
In-Reply-To: <20200603045250.GW7856@localhost>
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 3 Jun 2020 14:15:58 +0200
Message-ID: <CAC-fF8RNhDyzK34XbL3E+W1huA0mjRULmUiRo9a8564+Aaz=-w@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Simo Sorce <simo@redhat.com>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Jun 3, 2020 at 6:53 AM Nico Williams <nico@cryptonector.com> wrote:
>
> On Tue, Jun 02, 2020 at 10:30:47PM -0500, Nico Williams wrote:
> > On Wed, Jun 03, 2020 at 01:29:23AM +0200, Isaac Boukris wrote:
> > > On Wed, Jun 3, 2020 at 12:05 AM Nico Williams <nico@cryptonector.com> wrote:
> > > > On Tue, Jun 02, 2020 at 08:35:14PM +0200, Isaac Boukris wrote:
> > > > > I'd still love to see an application signal for the service ticket
> > > > > using a cred option or name attribute, more likely to help in samba.
> > > >
> > > > What exactly would the option specify? I'm certain we can fit it in one
> > > > of three different ways though.
> > >
> > > It could specify the delegation-policy for this creds/context for
> > > example, or we can make the ticket always available via
> > > name-attributes like Simo suggested, but that would be somewhat
> > > unrelated work.
> >
> > So you're saying you want to be able to say "only accept traditional
> > delegated credentials, don't do S4U2Proxy" and also be able to say
> > "either is fine"? And configuration is not enough? Anyways, my
> > preference for that is to use gss_acquire_cred_from().
>
> I'll take that back! The right interface for this is
> gss_store_cred_into() or gss_store_cred_into2().
>
> Here's the idea:
>
> - you always get a deleg_cred_handle if one was delegated or S4U2Proxy
> is available,
>
> - you tell gss_store_cred_into() about what you're willing to store and
> with what options,
>
> - if you say "only real creds" then gss_store_cred_into() will not
> store S4U2Proxy creds.
This sounds a lot of application logic, and we also don't want to
implicitly delegate a ticket at this point.
btw, we don't have to call it s4u2proxy creds, it's just a tgt-less
cache with a service ticket, maybe we could use it in different
manners as well (for local auth, or maybe invent a way to authenticate
to the kdc with it?).
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
