PROXY tickets and GSSAPI
Douglas E. Engert
deengert at anl.gov
Wed Jun 26 17:57:00 EDT 2002
Ken Hornstein wrote:
> > You are correct, I'm a bit confused about the diffs between proxy tix
> >and forwarded tix. I understand that the proxy tickets are service
> >and the forwarded tix are TGTs. Im trying to get my hands around the
> >problem of actually sending a useable service ticket (with the proxy flag
> >set) to a GSSAPI service. I know that the TGT will be forwarded in the
> >gss_init_sec_context call when the delegation flag is set, but how would one
> >send the service ticket with the proxy flag - is this where the OOB exchange
> >between the client and proxy server comes into play?
> It's my gut feeling that, when it all boils down to everything at the end
> of the day, proxiable tickets have no real use. Especially in our NATted
> world today. Note that I'm probably in the minority on this one, and if you
> can prove me wrong, more power to you :-)
I thought the proxy ticket is for a service, so client could send only selected
proxies to a server, rather then having to send a full TGT. Foe example send
an afs/cell at realm ticket to server, to it can access AFS in a specific cell,
but nothing else.
The problem is the GSSPAI only has a single delegte flag, which is used
for delegting a TGT. which is also forwardable.
The GSSAPi extensions we are proposing at the GGF next month might address
this problem, by allowing more input to the GSS delegtion process, including
delegation at any time.
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev