Alternative proxy-creds API for constrained-delegation

Isaac Boukris iboukris at
Wed Jun 3 10:11:08 EDT 2020

On Tue, Jun 2, 2020 at 8:11 PM Greg Hudson <ghudson at> wrote:
> The second half of the problem is a facility for using a "just the
> service ticket" credential to do S4U2Proxy.  Since S4U2Proxy requires a
> host TGT, this has to be done via a privileged service running on the
> host.  I think there is general agreement that this should be done via
> the existing gss-proxy facility unless we run into a roadblock.

To me, gss-proxy sounds like a big requirement, I was hoping for a
simpler plugable client helper mechanism, that simply talks to a
daemon when needed and puts the ticket in cache for the client to use.
In other words, I'd prefer that we define how gss-proxy and other
daemon would be able to achieve this with gssapi, rather than the
other way around.

More information about the krbdev mailing list