PROXY tickets and GSSAPI

Jen Selby jenselby at MIT.EDU
Wed Jun 26 14:51:01 EDT 2002

> Also, its unclear to me how the PROXY flag (not the PROXIABLE flag)
> ever gets set.  I'm assuming that the server who is acting on behalf
> of the client is supposed to set this when it receives a PROXIABLE
> cred that is is going to use.

If the KDC gets a request with the PROXY flag set and the requestor
has PROXIABLE tickets, then the KDC will set the PROXY flag in the
tickets which it provides in response to the request.

> I'm speculating also that the service that the proxy is actually
> talking to must check for the PROXY flag and verify the address fields
> before allowing the request to be processed.

If an application wishes not to accept PROXY tickets, then it could
check the PROXY flag and disallow tickets that have it set.  It is
certainly not required to check for this, and can treat the PROXY
tickets like any other tickets in terms of whether or not it accepts


More information about the krbdev mailing list