PROXY tickets and GSSAPI

Sam Hartman hartmans at MIT.EDU
Wed Jun 26 19:23:01 EDT 2002

>>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll at> writes:

    Wyllys> So, the benefit of PROXY tickets as opposed to a more
    Wyllys> general FORWARDABLE ticket is that the PROXY ticket may
    Wyllys> only be used from the addresses specified in the ticket,
    Wyllys> correct?  Is an addressless PROXY ticket equivalent to a
    Wyllys> FORWARDABLE ticket?

A proxy ticket is not a TGT; a forwarded ticket is a TGT; that is the only distinction.

    Wyllys> Is there a way to actually specify a service or list of
    Wyllys> services that the server may act as a proxy for ?
    Wyllys> Example, you only want the PROXY server to use your creds
    Wyllys> to access "print" services on some server but not other
    Wyllys> kerberized services?

Yes; you can obtain and proxy only the services you want to proxy.

I don't know of anyone who has ever implemented that code though.

More information about the krbdev mailing list