Alternative proxy-creds API for constrained-delegation

Nico Williams nico at
Wed Jun 3 19:26:30 EDT 2020

On Thu, Jun 04, 2020 at 12:20:53AM +0200, Isaac Boukris wrote:
> Thanks, I think I get it better now.


> > Now I'm thinking it'd be nice to have separate sshd_config params for
> > acceptor acquisition from cred_store and storing of
> > deleg_cred_handles...
> So if we go with gss_acquire_cred_from(), we can add a new store
> option "delegation-policy: client-tgt,client-ticket" which will
> override the corresponding krb5.conf option, which will default to
> "client-tgt,proxy-creds". Then one could add GssCredStoreKeyValue
> delegation-policy ...

We could certainly add this on the acceptor credential acquisition side.
We could also add this on the credential storing side.

Since I already have application support for this on the credential
storing side, that's my preference: I won't have to change my sshd at

Yes, that means sshd will get a transient S4U2Proxy deleg_cred_handle
when no cred was delegated that sshd will fail to store if
delegation-policy = client-tgt, but my sshd ignores (logs, but otherwise
ignores) failures to store deleg_cred_handles, so that's not a problem
at all.

That said, I'll probably end up adding code to call
gss_acquire_cred_from(desired_name=GSS_C_NO_NAME, cred_store=...) in
sshd, so this could be an option on both sides.

Note that we could decompose this into an option for each case:

 - a gss_acquire_cred_from() option to say whether to use S4U2Proxy when
   a cred is not delegated (or even always!)

 - a gss_store_cred_into*() option to say whether and how to store an
   S4U2Proxy cred if there were multiple options for that

Note that with gss_acquire_cred_impersonate_name() you can get an
S4U2Self (+ S4U2Proxy) cred without having to have called
gss_accept_sec_context() that could then be stored with


More information about the krbdev mailing list