Alternative proxy-creds API for constrained-delegation
Simo Sorce
simo at redhat.com
Fri Jun 5 09:35:47 EDT 2020
On Fri, 2020-06-05 at 12:11 +0200, Isaac Boukris wrote:
> Actually, even with the cred_store option for delegation_policy, when
> using more than one type, one can't really tell what creds he got at
> the end.
>
> We have GET_CRED_IMPERSONATOR_OID which I think can be used to inquire
> for proxy-creds, but how do you tell a tgt-less one? It would be nice
> to be able to inquire about it.
>
gss_inquire_cred) will return a name for the cred, it could do so an
add a name attribute that marks the credential as "not a TGT" in some
way.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
More information about the krbdev
mailing list