Creating GSSAPI initiate credential using keytab entry--how should this work

Sam Hartman hartmans at MIT.EDU
Wed Mar 10 14:18:17 EST 2010

>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:

    Greg> On Wed, 2010-03-10 at 12:36 -0500, Sam Hartman wrote:
    >> Would it be a good idea to wrap all this logic into
    >> gss_acquire_credential so that if you have a keytab you can just
    >> use it as an initiator?  I.E. would that be a good improvement
    >> for the future?

    Greg> Possibly.  Or we could do the
    Greg> credentials-cache-backed-by-a-keytab idea.

    Greg> I think it requires at least some thought, though.  Currently
    Greg> our GSSAPI library only does TGS requests, not AS requests.
    Greg> If it start doing AS requests, then it becomes a consumer of
    Greg> the gic_opt framework and the preauth framework, and there are
    Greg> some (probably manageable) implications there.

We already will have to deal with this for  iakerb.

More information about the krbdev mailing list