On credential cache separation between service ticket and TGT

Arpit Srivastava arpit.orb at gmail.com
Wed Mar 5 09:43:12 EST 2014


Hi All,

1.    Is there any way to selectively expose service ticket and not the
TGT to the applications (which will be using GSS APIs) ? Can we store both
of them in different files and not together in single krb5cc ?

2.    If I give away the krb5cc ( which also contains TGT) to the
application, Can application make use (for eg. obtaining service tickets
for other SPNs for malicious purposes) of its TGT part after calling
acquire_cred or any other API ?

My usecase is as follows:

I have a centralized service for doing kinit and storing krb5cc at an
informed path. Now, I want applications(which will load Kerberos Library)
to fetch credentials (here, I don't want to expose whole krb5cc) from this
service and use those credentials to call gss_init_sec_context() and
thereon. I want to give away only that content of credential cache (maybe
by generating service ticket using kvno) to application using which it can
establish the context etc. Can exposing whole krb5cc to the applications
prove to be insecure ? What should be the approach here. Pls let me know if
there is any specific GSS or Kerberos API that can be used here.
Help would be highly appreciated.

Regards,
Arpit


More information about the Kerberos mailing list