Alternative proxy-creds API for constrained-delegation

Nico Williams nico at
Wed Jun 3 15:34:13 EDT 2020

On Wed, Jun 03, 2020 at 06:54:01PM +0200, Isaac Boukris wrote:
> On Wed, Jun 3, 2020 at 5:58 PM Nico Williams <nico at> wrote:
> > On Wed, Jun 03, 2020 at 02:15:58PM +0200, Isaac Boukris wrote:
> > > This sounds a lot of application logic, and we also don't want to
> > > implicitly delegate a ticket at this point.
> >
> > On the contrary, this makes the app simpler because configuration now is
> > something of a hole: the app doesn't need to know anything about it, it
> > just passes through settings from a config file.
> >
> > We do this in our sshd already, so it won't need _any_ changes in order
> > to use this new configuration parameter.
> Not sure I follow, so your sshd won't need any changes, how does that
> make it simple for others? And again, we don't want to implicitly
> delegate a ticket at this point.

I'm going to publish our patches (got permission today), and hopefully
we can coalesce on one fork of OpenSSH with GSS KEYEX and then we can
contribute to OpenSSH.

Regardless, if you follow this pattern in other apps, you'll get the
same benefit of making the use of new configuration parameters not
require further app changes -- IMO minimizing future needed code changes
is a very powerful feature.


More information about the krbdev mailing list