PROXY tickets and GSSAPI

Wyllys Ingersoll wyllys.ingersoll at
Wed Jun 26 12:09:00 EDT 2002

I have a scenario where I would like to have a GSSAPI-based server
receive creds from a client and then act as a "proxy" by assuming the
clients identity (the initial client sent delegated creds with the 
PROXIABLE flags set)
to access a third service.

However, this does not seem possible given the current GSSAPI without
breaking the GSS abstraction layer in the intermediate server and 
directly manipulating
the Kerberos creds.   Has anyone done something similar or know if it would
be possible without alot of ugly hacks that break the barrier between 

-Wyllys Ingersoll

More information about the krbdev mailing list