File tree 1 file changed +15
-0
lines changed 1 file changed +15
-0
lines changed Original file line number Diff line number Diff line change 2828 - SPNEGO (any pseudo-mechanism) should not be proxied, as it will
2929 re-enter the mechglue and call the proxy(ies) if needed (or not) as
3030 appropriate.
31+
32+
33+ - How to pass around ccaches ?
34+ We simply don't.
35+ 1. For a user, we should probably deny init_sec_context initially, but if we
36+ allow it we need to create a ccache like
37+ /var/lib/gssproxy/cc/krb5cc_<userename>
38+ The user will not have direct access to the cache.
39+ 2. For a normal service we will do the same, both accept and init contetx use
40+ the configured keytab and the ccache will be in
41+ /var/lib/gssproxy/cc/krb5cc_<servicename>
42+ 3. For a trusted service we do the same as in 2. except when the service
43+ asks us to init_sec_context as a user, in that case we will try to use the
44+ user's ccache in /run/user/<username>/krb5cc, erroring out if it does not
45+ exist or is expired.
You can’t perform that action at this time.
0 commit comments