PROXY tickets and GSSAPI

Steven Michaud smch at
Wed Jun 26 13:11:00 EDT 2002

I've done more-or-less what you describe, as part of an
as-yet-unfinished Web-Kerberization project.  (The client (a Java
applet or a Netscape plugin) kinits and then does a GSSAPI
authentication to what I call a "Kerberos Helper" daemon, forwarding
the user's credentials as part of the process.  The Kerberos Helper
daemon puts the credentials into a ticket cache in a special location,
where an authentication plugin to some other service (e.g. UW IMAPD or
Apache) can find it and use its contents to authenticate the user.)

I did have to "break" the GSS abstraction (which of course you also
have to do in order to kinit).  But I don't think my method is _too_
ugly.  Basically, my Kerberos Helper daemon uses "Krb5 API" calls to
create a ticket cache (krb5_init_context, krb5_cc_resolve,
krb5_cc_initialize and the like).  Then it uses a GSSAPI extension
that I found in the MIT distribution (gss_krb5_copy_ccache) to copy
the forwarded credentials to the cache.  My authentication plugins use
yet another GSSAPI extension (gss_krb5_ccache_name) to temporarily
change the location of the default ticket cache, then use standard
GSSAPI calls to check its contents.

I also used forwardable credentials instead of proxiable ones.

On Wed, 26 Jun 2002, Wyllys Ingersoll wrote:

> I have a scenario where I would like to have a GSSAPI-based server
> receive creds from a client and then act as a "proxy" by assuming the
> clients identity (the initial client sent delegated creds with the 
> PROXIABLE flags set)
> to access a third service.
> However, this does not seem possible given the current GSSAPI without
> breaking the GSS abstraction layer in the intermediate server and 
> directly manipulating
> the Kerberos creds.   Has anyone done something similar or know if it would
> be possible without alot of ugly hacks that break the barrier between 
> GSSAPI and KRB5 ?
> -Wyllys Ingersoll
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list