Alternative proxy-creds API for constrained-delegation

Nico Williams nico at
Wed Jun 3 17:26:32 EDT 2020

On Wed, Jun 03, 2020 at 02:34:13PM -0500, Nico Williams wrote:
> On Wed, Jun 03, 2020 at 06:54:01PM +0200, Isaac Boukris wrote:
> > On Wed, Jun 3, 2020 at 5:58 PM Nico Williams <nico at> wrote:
> > > On Wed, Jun 03, 2020 at 02:15:58PM +0200, Isaac Boukris wrote:
> > > > This sounds a lot of application logic, and we also don't want to
> > > > implicitly delegate a ticket at this point.
> > >
> > > On the contrary, this makes the app simpler because configuration now is
> > > something of a hole: the app doesn't need to know anything about it, it
> > > just passes through settings from a config file.
> > >
> > > We do this in our sshd already, so it won't need _any_ changes in order
> > > to use this new configuration parameter.
> > 
> > Not sure I follow, so your sshd won't need any changes, how does that
> > make it simple for others? And again, we don't want to implicitly
> > delegate a ticket at this point.
> I'm going to publish our patches (got permission today), and hopefully
> we can coalesce on one fork of OpenSSH with GSS KEYEX and then we can
> contribute to OpenSSH.

I'll be rebasing these, squashing some dropping all the "Release ..."
commits, maybe splitting Debian, HPN, and GSS KEYEX commits into
separate branches, with master having all the patches.

> Regardless, if you follow this pattern in other apps, you'll get the
> same benefit of making the use of new configuration parameters not
> require further app changes -- IMO minimizing future needed code changes
> is a very powerful feature.

The code in question is here:

 - cred_store key/value setup:

   Yes, it's more lines of code than your alternative, but this has to
   be written only once -- new config parameters can just be added to
   sshd_config (see below).

 - gss_store_cred_into2() call:

 - relevant sshd_config parsing parts:

Now I'm thinking it'd be nice to have separate sshd_config params for
acceptor acquisition from cred_store and storing of


More information about the krbdev mailing list