Exporting/Importing credentials

Douglas E. Engert deengert at anl.gov
Mon Apr 14 15:53:16 EDT 2003

Il-Sung Lee wrote:
> Does anyone know how to export/import credentials using GSS-API?  I was
> hoping that there were APIs similar to
> gss_export_sec_context/gss_import_sec_context for use with credentials so
> that I could pass the delegated credentials from one process to another.
> As far as I can tell, the delegated credential is only available in the
> memory cache of the process accepting the context.
> Any suggestions would be appreciated.

See: http://www.ietf.org/internet-drafts/draft-engert-ggf-gss-extensions-00.txt

There is a gss_export_cred, and gss_import_cred defined. I have a
gss_export_cred for Kerberos, and the Globus GSI has both implemented. 

In the past this was left up to the application, to bypass the GSS and 
write out a Kerberos cache. The OpenSSH with GSSAPI is an example of this,
as is the MIT src/appl/gssftp/ftpd/ftpd.c ftpd_gss_convert_creds routine.
It eventually calls  gss_krb5_copy_ccache.  Then KRB5CCNAME env is normally set. 

The next process would use gss_acquire_cred.   

> Thanks,
> Il-Sung.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list