Alternative proxy-creds API for constrained-delegation

Isaac Boukris iboukris at
Mon Jun 8 07:19:52 EDT 2020

On Wed, Jun 3, 2020 at 6:01 PM Nico Williams <nico at> wrote:
> On Wed, Jun 03, 2020 at 04:11:08PM +0200, Isaac Boukris wrote:
> > To me, gss-proxy sounds like a big requirement, I was hoping for a
> > simpler plugable client helper mechanism, that simply talks to a
> > daemon when needed and puts the ticket in cache for the client to use.
> That's still a proxy.  We talked about this on the call.  Love had
> wanted all of these proxies back in 2012, and I agree with that:
>  - krb5_get_credentials() proxy
>  - krb5_mk/rd_req*() proxy
>  - gss proxy

Yes, it would be nice to make this tgt-less creds work for
krb5_get_credentials() callers, and not only gss_init_sec_context()

More information about the krbdev mailing list