Services4User review

Luke Howard lukeh at
Fri Sep 4 13:03:26 EDT 2009

On 04/09/2009, at 6:35 PM, Greg Hudson wrote:

> Two questions about the API design:
> * Whereas the krb5 gss_acquire_cred only fetches existing credentials
> from a cache, the krb5 gss_acquire_cred_impersonate_cred actually goes
> out and fetches credentials from the KDC, right?

krb5_gss_acquire_cred_impersonate_cred() does not (this is deferred  
gss_init_sec_context(), as it would be with normal credentials).

krb5_gss_acquire_cred_impersonate_name() does, but I think this can be  
considered an implementation detail.

> * Under what circumstances would an application need to use the
> gss_acquire_cred_impersonate_cred interface, instead of just calling
> gss_init_sec_context with the appropriate proxy credential?  Is  
> there an
> actual reason to provide that API?  (And similarly for the  
> corresponding
> add_ API, of course.)

I believe this was proposed principally for other mechanisms (perhaps  
you can chime in here, Nico). You could use  
gss_acquire_cred_impersonate_cred() if you wished to impersonate a  
credential handle you acquired explicitly with gss_acquire_cred().

-- Luke

More information about the krbdev mailing list