Separate in-/out- ccaches.

Peter Mogensen apm at one.com
Sat Feb 22 14:57:13 EST 2014


Hi,

I was wondering about a use case I have when using S4U2proxy.
(client->service1->service2)

The individual service tickets issued by the S4U2proxy TGS exchanges are 
transient and only lasts for a single request to service1 - and (more 
importantly) clients should be separated so a ticket (client1->service2) 
should not be accessible to client2.

This works fine with a MEMORY ccache to hold til tickets.
But since you can only provide 1 ccache to the libkrb5 API that also 
means the service1 has to do an AS-REQ for a TGT to put in that MEMORY 
ccached for every request.
In reality service1 could have done fine with just having a single TGT 
in a persistent ccache and using that in every S4U2proxy TGS-REQ. ... 
but putting the resulting ticket (client->service2) in the MEMORY ccache.

But AFAICS, the libkrb5 API does not allow you to specify an "input" and 
an "output" ccache.
At a very low level, only one ccache is possible.
struct _krb5_tkt_creds_context has one 1 krb5_ccache member.

Is there a way to do what I'm looking for?

/Peter





More information about the Kerberos mailing list