PROXY tickets and GSSAPI
hartmans at MIT.EDU
Wed Jun 26 19:23:01 EDT 2002
>>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll at sun.com> writes:
Wyllys> So, the benefit of PROXY tickets as opposed to a more
Wyllys> general FORWARDABLE ticket is that the PROXY ticket may
Wyllys> only be used from the addresses specified in the ticket,
Wyllys> correct? Is an addressless PROXY ticket equivalent to a
Wyllys> FORWARDABLE ticket?
A proxy ticket is not a TGT; a forwarded ticket is a TGT; that is the only distinction.
Wyllys> Is there a way to actually specify a service or list of
Wyllys> services that the server may act as a proxy for ?
Wyllys> Example, you only want the PROXY server to use your creds
Wyllys> to access "print" services on some server but not other
Wyllys> kerberized services?
Yes; you can obtain and proxy only the services you want to proxy.
I don't know of anyone who has ever implemented that code though.
More information about the krbdev