Services4User review

Luke Howard lukeh at
Fri Aug 21 12:53:11 EDT 2009

> But where would the host's credentials go?  Sure, you could use

If the acceptor and impersonate credentials are the same thing (which,  
for constrained delegation in the Kerberos world, they must be), then  
a single acceptor credential handle with GSS_C_BOTH would work:

gss_accept_sec_context() could then return a credentials handle  
containing both the verifier's initiator credentials and the evidence  
ticket (ie. from the initiator to the acceptor).  
(gss_acquire_cred_impersonate_cred() does just this.)

Anyway, I'm fine with the existing design :-)

>    - One could imagine alternative ways to design S4U2PROXY for
>      Kerberos where the proxy gets a TGT to impersonate the subject,
>      but the TGT carries authz-data that constrains what service
>      principals it can be used to get service tickets for.

Ah yes, that would be interesting too!

-- Luke

More information about the krbdev mailing list