Alternative proxy-creds API for constrained-delegation
iboukris at gmail.com
Wed Jun 3 10:11:08 EDT 2020
On Tue, Jun 2, 2020 at 8:11 PM Greg Hudson <ghudson at mit.edu> wrote:
> The second half of the problem is a facility for using a "just the
> service ticket" credential to do S4U2Proxy. Since S4U2Proxy requires a
> host TGT, this has to be done via a privileged service running on the
> host. I think there is general agreement that this should be done via
> the existing gss-proxy facility unless we run into a roadblock.
To me, gss-proxy sounds like a big requirement, I was hoping for a
simpler plugable client helper mechanism, that simply talks to a
daemon when needed and puts the ticket in cache for the client to use.
In other words, I'd prefer that we define how gss-proxy and other
daemon would be able to achieve this with gssapi, rather than the
other way around.
More information about the krbdev