On credential cache separation between service ticket and TGT
Greg Hudson
ghudson at MIT.EDU
Wed Mar 5 10:29:11 EST 2014
On 03/05/2014 09:43 AM, Arpit Srivastava wrote:
> 1. Is there any way to selectively expose service ticket and not the
> TGT to the applications (which will be using GSS APIs) ? Can we store both
> of them in different files and not together in single krb5cc ?
You could copy the service ticket into a different ccache and expose
only that to the application. GSSAPI applications will work fine if
they have a service ticket and no TGT.
There are no GSS functions for doing this kind of selective copying; you
would have to use ccache functions from libkrb5, or use kinit -S (or
equivalent) to avoid getting a TGT in the first place.
> 2. If I give away the krb5cc ( which also contains TGT) to the
> application, Can application make use (for eg. obtaining service tickets
> for other SPNs for malicious purposes) of its TGT part after calling
> acquire_cred or any other API ?
Yes, if you expose a TGT to an application then it could use that to
obtain any service ticket.
More information about the Kerberos
mailing list