GSS-API routine for renewing credentials

Robert rob_krb at xs4all.nl
Wed Apr 18 17:41:03 EDT 2007


----- Original Message ----- 
From: "Nicolas Williams" <Nicolas.Williams at sun.com>
To: "Robert" <rob_krb at xs4all.nl>
Cc: <kerberos at mit.edu>
Sent: Wednesday, April 18, 2007 22:23
Subject: Re: GSS-API routine for renewing credentials


> On Wed, Apr 18, 2007 at 08:25:39PM +0200, Robert wrote:
>> Does anyone know whether there is a routine in GSS-API to renew 
>> (forwarded)
>> client credentials? I'm unable to locate such a routine in GSS-API, but
>> maybe
>> I'm overlooking it.
>
> There's no such thing.
>
> In SSHv2 we deal with this by re-keying the SSHv2 session and, in the
> process, establishing a new GSS-API security context, which is an
> opportunity to delegate a new credential.
>
> I.e., you have to establish a new security context.
>
> Nico
> -- 

Thanks Nico.

I'm just thinking how that would work (if that would work for my situation).
I looking at this from a client -> gateway -> backend server  perspective.
The client should actually not be bothered by the need to initiate a new
security context with the gateway. That's what you indicate, right?
(The gateway may need the delegated credentials to initiate a new security
context to a second backend server (silentl failover)).

Robert 




More information about the Kerberos mailing list