[20126] in Kerberos_V5_Development
Re: Alternative proxy-creds API for constrained-delegation
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Jun 5 09:36:29 2020
Message-ID: <deea96cbe220dbbdd47d4b1834dbc0f1f263e924.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Isaac Boukris <iboukris@gmail.com>, Nico Williams <nico@cryptonector.com>
Date: Fri, 05 Jun 2020 09:35:47 -0400
In-Reply-To: <CAC-fF8ScHo7n2ANLxK8i4iLQ8Cm8rusv63PbVsM+feaX4v5RkA@mail.gmail.com>
MIME-Version: 1.0
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, 2020-06-05 at 12:11 +0200, Isaac Boukris wrote:
> Actually, even with the cred_store option for delegation_policy, when
> using more than one type, one can't really tell what creds he got at
> the end.
>
> We have GET_CRED_IMPERSONATOR_OID which I think can be used to inquire
> for proxy-creds, but how do you tell a tgt-less one? It would be nice
> to be able to inquire about it.
>
gss_inquire_cred) will return a name for the cred, it could do so an
add a name attribute that marks the credential as "not a TGT" in some
way.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
