lukeh at padl.com
Fri Sep 4 13:03:26 EDT 2009
On 04/09/2009, at 6:35 PM, Greg Hudson wrote:
> Two questions about the API design:
> * Whereas the krb5 gss_acquire_cred only fetches existing credentials
> from a cache, the krb5 gss_acquire_cred_impersonate_cred actually goes
> out and fetches credentials from the KDC, right?
krb5_gss_acquire_cred_impersonate_cred() does not (this is deferred
gss_init_sec_context(), as it would be with normal credentials).
krb5_gss_acquire_cred_impersonate_name() does, but I think this can be
considered an implementation detail.
> * Under what circumstances would an application need to use the
> gss_acquire_cred_impersonate_cred interface, instead of just calling
> gss_init_sec_context with the appropriate proxy credential? Is
> there an
> actual reason to provide that API? (And similarly for the
> add_ API, of course.)
I believe this was proposed principally for other mechanisms (perhaps
you can chime in here, Nico). You could use
gss_acquire_cred_impersonate_cred() if you wished to impersonate a
credential handle you acquired explicitly with gss_acquire_cred().
More information about the krbdev