On credential cache separation between service ticket and TGT
Simo Sorce
simo at redhat.com
Wed Mar 5 11:05:12 EST 2014
On Wed, 2014-03-05 at 20:13 +0530, Arpit Srivastava wrote:
> Hi All,
>
> 1. Is there any way to selectively expose service ticket and not the
> TGT to the applications (which will be using GSS APIs) ? Can we store both
> of them in different files and not together in single krb5cc ?
>
> 2. If I give away the krb5cc ( which also contains TGT) to the
> application, Can application make use (for eg. obtaining service tickets
> for other SPNs for malicious purposes) of its TGT part after calling
> acquire_cred or any other API ?
>
> My usecase is as follows:
>
> I have a centralized service for doing kinit and storing krb5cc at an
> informed path. Now, I want applications(which will load Kerberos Library)
> to fetch credentials (here, I don't want to expose whole krb5cc) from this
> service and use those credentials to call gss_init_sec_context() and
> thereon. I want to give away only that content of credential cache (maybe
> by generating service ticket using kvno) to application using which it can
> establish the context etc. Can exposing whole krb5cc to the applications
> prove to be insecure ? What should be the approach here. Pls let me know if
> there is any specific GSS or Kerberos API that can be used here.
> Help would be highly appreciated.
You could look into using GSS-Proxy to handle privilege separation:
https://fedorahosted.org/gss-proxy/
however it requires the exclusive use of GSSAPI calls in the
applications, no direct krb5 calls.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list