[20110] in Kerberos_V5_Development
Re: Alternative proxy-creds API for constrained-delegation
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Wed Jun 3 10:11:49 2020
MIME-Version: 1.0
In-Reply-To: <910e4628-757b-9090-56b9-a992c6532a21@mit.edu>
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 3 Jun 2020 16:11:08 +0200
Message-ID: <CAC-fF8QgfvonVmCjAKHGbDgyL6Kt4H2GsxY9Vnea3=HQ9ZaCVw@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Simo Sorce <simo@redhat.com>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
heimdal-discuss@heimdal.software,
Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, Jun 2, 2020 at 8:11 PM Greg Hudson <ghudson@mit.edu> wrote:
>
> The second half of the problem is a facility for using a "just the
> service ticket" credential to do S4U2Proxy. Since S4U2Proxy requires a
> host TGT, this has to be done via a privileged service running on the
> host. I think there is general agreement that this should be done via
> the existing gss-proxy facility unless we run into a roadblock.
To me, gss-proxy sounds like a big requirement, I was hoping for a
simpler plugable client helper mechanism, that simply talks to a
daemon when needed and puts the ticket in cache for the client to use.
In other words, I'd prefer that we define how gss-proxy and other
daemon would be able to achieve this with gssapi, rather than the
other way around.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
