Separate in-/out- ccaches.
Peter Mogensen
apm at one.com
Sat Feb 22 14:57:13 EST 2014
Hi,
I was wondering about a use case I have when using S4U2proxy.
(client->service1->service2)
The individual service tickets issued by the S4U2proxy TGS exchanges are
transient and only lasts for a single request to service1 - and (more
importantly) clients should be separated so a ticket (client1->service2)
should not be accessible to client2.
This works fine with a MEMORY ccache to hold til tickets.
But since you can only provide 1 ccache to the libkrb5 API that also
means the service1 has to do an AS-REQ for a TGT to put in that MEMORY
ccached for every request.
In reality service1 could have done fine with just having a single TGT
in a persistent ccache and using that in every S4U2proxy TGS-REQ. ...
but putting the resulting ticket (client->service2) in the MEMORY ccache.
But AFAICS, the libkrb5 API does not allow you to specify an "input" and
an "output" ccache.
At a very low level, only one ccache is possible.
struct _krb5_tkt_creds_context has one 1 krb5_ccache member.
Is there a way to do what I'm looking for?
/Peter
More information about the Kerberos
mailing list