Alternative proxy-creds API for constrained-delegation

Isaac Boukris iboukris at
Tue Jun 2 19:16:15 EDT 2020

On Wed, Jun 3, 2020 at 12:03 AM Nico Williams <nico at> wrote:
> On Tue, Jun 02, 2020 at 08:35:14PM +0200, Isaac Boukris wrote:
> > What does the daemon do once it get a proxy-creds upon accepting with
> > GSS_C_BOTH? Do we have an API to do init_sec(), just get the ticket,
> > extract it and return it to the caller, maybe krb5 api? How does the
> > caller gets it injected to its cache, would that be possible?
> If you get a deleg_cred_handle, you should be able to use it in the same
> process without further ado -- no changes needed to code calling
> gss_init_sec_context(), and no gss-proxy should be needed either.

I agree no changes needed to code calling gss_init_sec_context()
should be made, but if we only have a tgt-less cache someone would
have to do the work, thus a proxy is needed. I was trying to imagine
how the proxy code would look like, and how would it return the
requested ticket to be saved in the client cache for next usages.

More information about the krbdev mailing list