Re: [Perlgssapi-developer] Patches for perl-GSSAPI
Brought to you by:
achimgrolms
Menu
▾
▴
Re: [Perlgssapi-developer] Patches for perl-GSSAPI
|
From: Simon W. <sx...@in...> - 2006-04-21 13:48:22
|
On Fri, 21 Apr 2006, Leif Johansson wrote: > Actually you should use gssapi credentials forwarding instead. The only > time you would need to extract a krb5 cache (which you magically happen > to know is there) is for AFS, which I guess is your usecase :-) No, GSSAPI credentials forwarding doesn't do what you want. When you accept a GSSAPI context, you get a GSSAPI credentials structure containing the delegated credentials. If you want to save this out to disk so that it can be used by other programs, you need to convert that into a Kerberos structure (or a different mechanisms specific representation, if you're using a different mech), and then use an API specifc to your mechanism to store it. [ Can you take a forwarded credential from gss_accept_sec_context and stuff it into gss_init_sec_context? I guess you can, but I've never tried ... ] Delegating credentials in OpenSSH is the classic (non-perl) use case for this, but it applies for any service which needs to make delegated credentials available to other processes it invokes on behalf of the user. We current use it in a remote file editing system which prods other database services such as LDAP to make updates. All of this happens in different processes - so credentials which are held soley in memory are no use. Cheers, Simon. |
