Exporting/Importing credentials
Douglas E. Engert
deengert at anl.gov
Mon Apr 14 15:53:16 EDT 2003
Il-Sung Lee wrote:
>
> Does anyone know how to export/import credentials using GSS-API? I was
> hoping that there were APIs similar to
> gss_export_sec_context/gss_import_sec_context for use with credentials so
> that I could pass the delegated credentials from one process to another.
> As far as I can tell, the delegated credential is only available in the
> memory cache of the process accepting the context.
>
> Any suggestions would be appreciated.
See: http://www.ietf.org/internet-drafts/draft-engert-ggf-gss-extensions-00.txt
There is a gss_export_cred, and gss_import_cred defined. I have a
gss_export_cred for Kerberos, and the Globus GSI has both implemented.
In the past this was left up to the application, to bypass the GSS and
write out a Kerberos cache. The OpenSSH with GSSAPI is an example of this,
as is the MIT src/appl/gssftp/ftpd/ftpd.c ftpd_gss_convert_creds routine.
It eventually calls gss_krb5_copy_ccache. Then KRB5CCNAME env is normally set.
The next process would use gss_acquire_cred.
>
> Thanks,
> Il-Sung.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list