Services4User review
Luke Howard
lukeh at padl.com
Sat Sep 5 02:46:36 EDT 2009
On 05/09/2009, at 5:10 AM, Greg Hudson wrote:
> On Fri, 2009-09-04 at 17:49 -0400, Nicolas Williams wrote:
>> Actually, S4U2Self and Proxy *both* are in the same boat: they can be
>> used without new gss_*cred*() extentions because in both cases they
>> can
>> be used solely through the delegated credentials returned by
>> gss_accept_sec_context().
>
> That doesn't match my understanding. As I understand it, the general
> use case of S4U2Self is that you've authenticated a user by some other
> means (like an X.509 certificate or a password over TLS) and you
> want to
> get a ticket as that user to examine the PAC information or for use
> with
> S4U2Proxy. You never accepted a GSS security context. So you need
> gss_acquire_cred_impersonate_name to do S4U2Self, but you can then
> pass
> the resulting credentials to gss_init_sec_context to do S4U2Proxy,
> without needing a second extension.
Yes, that is my understanding too.
-- Luke
More information about the krbdev
mailing list