Delegated creds and SPNEGO

Nicolas Williams Nicolas.Williams at
Thu Aug 27 12:47:30 EDT 2009

On Thu, Aug 27, 2009 at 10:54:16AM -0500, Nicolas Williams wrote:
> On Wed, Aug 26, 2009 at 10:39:51PM -0700, Love Hörnquist Åstrand wrote:
> > gss_store_cred() is mostly unusable for just that reason, you can't  
> > use it inside a multi threaded application, and you are not sure how  
> > it will affect other processes if you call it. for example, two proxy  
> > smb fileservers store credentails for the same user, one might  
> > overwrite credentials for another process.
> That's not necessarily true.  For example, it's not true on Linux, since
> you can setup your per-thread keyrings appropriately and off it goes.
> And we could introduce a notion of credential store handles.  This would
> entail:
> a) functions to create and release credentials stores;
> b) a function to get a handle to the current credential store, and one
>    to set the current credential store to a given handle;
> c) new versions of gss_acquire/add/store_cred() that take a credential
>    store handle;

I'm pretty sure I mentioned this at KITTEN long ago...  Anyways,
explicit credential store handles would be very nice.  They'd have to
expose the granularity of current credential store associations in the
OS's process model, but otherwise they'd fully abstract details such as
"PAGs", "keyrings", etcetera, though they wouldn't abstract the details
of setting up new PAGs or session keyrings.  API-wise it'd look like:

a) GSS_Init_cred_store()                    -> status, CREDSTORE HANDLE
   GSS_Release_cred_store(CREDSTORE HANDLE) -> status

b) GSS_Get_current_cred_store(scope)        -> status, CREDSTORE HANDLE
   GSS_Set_current_cred_store(scope, CREDSTORE HANDLE) -> status

   Input "scope" argument: GSS_C_CS_SCOPE_{THREAD,PROCESS,SESSION,USER}.

c) GSS_Acquire_cred_from_store(..., CREDSTORE HANDLE) -> ...
   GSS_Add_cred_from_store(..., CREDSTORE HANDLE)     -> ...
   GSS_Store_cred_into_store(..., CREDSTORE HANDLE)   -> ...

   Same as GSS_Add/Acquire/Store_cred(), but with an extra input
   argument: a credential store handle.
   Default credential store handle symbol: GSS_C_NO_CRED_STORE.


More information about the krbdev mailing list