On credential cache separation between service ticket and TGT

Arpit Srivastava arpit.orb at gmail.com
Wed Mar 5 10:55:37 EST 2014


Thanks Greg for your comments.

That is the problem now. How to separate service tickets from the TGT so as
to copy it (only) to the different cache ? It would be great if you can
give some pointers.

Best,
Arpit

On Wed, Mar 5, 2014 at 8:59 PM, Greg Hudson <ghudson at mit.edu> wrote:

> On 03/05/2014 09:43 AM, Arpit Srivastava wrote:
> > 1.    Is there any way to selectively expose service ticket and not the
> > TGT to the applications (which will be using GSS APIs) ? Can we store
> both
> > of them in different files and not together in single krb5cc ?
>
> You could copy the service ticket into a different ccache and expose
> only that to the application. GSSAPI applications will work fine if
> they have a service ticket and no TGT.
>
There are no GSS functions for doing this kind of selective copying; you
> would have to use ccache functions from libkrb5, or use kinit -S (or
> equivalent) to avoid getting a TGT in the first place.
>
> > 2.    If I give away the krb5cc ( which also contains TGT) to the
> > application, Can application make use (for eg. obtaining service tickets
> > for other SPNs for malicious purposes) of its TGT part after calling
> > acquire_cred or any other API ?
>
> Yes, if you expose a TGT to an application then it could use that to
> obtain any service ticket.
>


More information about the Kerberos mailing list