PROXY tickets and GSSAPI

Wyllys Ingersoll wyllys.ingersoll at
Wed Jun 26 12:59:01 EDT 2002

I agree.  From reading the RFC it seems that using the PROXIABLE
flag should be fairly useful in situations where you wish to delegate
your creds to server to act on your behalf, but there is no example of this
in the MIT distribution.

Also, its unclear to me how the PROXY flag (not the PROXIABLE flag)
ever gets set.  I'm assuming that the server who is acting on behalf of 
the client
is supposed to set this when it receives a PROXIABLE cred that is is going
to use.  I'm speculating also  that the service that the proxy is 
actually talking
to must check for the PROXY flag and verify the address fields before 
the request to be processed.   I wish there were some examples of this 
to learn
from and expand upon, its alot harder to create this stuff from scratch :)


Booker C. Bense wrote:
> On Wed, 26 Jun 2002, Wyllys Ingersoll wrote:
>>I have a scenario where I would like to have a GSSAPI-based server
>>receive creds from a client and then act as a "proxy" by assuming the
>>clients identity (the initial client sent delegated creds with the
>>PROXIABLE flags set)
>>to access a third service.
>>However, this does not seem possible given the current GSSAPI without
>>breaking the GSS abstraction layer in the intermediate server and
>>directly manipulating
>>the Kerberos creds.   Has anyone done something similar or know if it would
>>be possible without alot of ugly hacks that break the barrier between
>>GSSAPI and KRB5 ?
> - I would really like to know if anybody anywhere has ever used
> proxiable tickets for ANYTHING. As far as I know, there's no
> publically available software that uses proxiable tickets.
> - Booker C. Bense
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list