Alternative proxy-creds API for constrained-delegation

Nico Williams nico at
Tue Jun 2 18:03:32 EDT 2020

On Tue, Jun 02, 2020 at 08:35:14PM +0200, Isaac Boukris wrote:
> What does the daemon do once it get a proxy-creds upon accepting with
> GSS_C_BOTH? Do we have an API to do init_sec(), just get the ticket,
> extract it and return it to the caller, maybe krb5 api? How does the
> caller gets it injected to its cache, would that be possible?

If you get a deleg_cred_handle, you should be able to use it in the same
process without further ado -- no changes needed to code calling
gss_init_sec_context(), and no gss-proxy should be needed either.

I don't think we even need GSS_C_BOTH to have been used to acquire the
acceptor credential.  What is needed is that the acceptor process have
access to the service's credentials, which clearly it must have in order
to accept.

My preference is to not make GSS_C_BOTH use a requirement on the
acceptor side.


More information about the krbdev mailing list