[19062] in Kerberos
Re: Exporting/Importing credentials
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Apr 14 15:55:12 2003
Message-ID: <3E9B11AC.EE680459@anl.gov>
Date: Mon, 14 Apr 2003 14:53:16 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Il-Sung Lee <ilslee@ca.ibm.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Il-Sung Lee wrote:
>
> Does anyone know how to export/import credentials using GSS-API? I was
> hoping that there were APIs similar to
> gss_export_sec_context/gss_import_sec_context for use with credentials so
> that I could pass the delegated credentials from one process to another.
> As far as I can tell, the delegated credential is only available in the
> memory cache of the process accepting the context.
>
> Any suggestions would be appreciated.
See: http://www.ietf.org/internet-drafts/draft-engert-ggf-gss-extensions-00.txt
There is a gss_export_cred, and gss_import_cred defined. I have a
gss_export_cred for Kerberos, and the Globus GSI has both implemented.
In the past this was left up to the application, to bypass the GSS and
write out a Kerberos cache. The OpenSSH with GSSAPI is an example of this,
as is the MIT src/appl/gssftp/ftpd/ftpd.c ftpd_gss_convert_creds routine.
It eventually calls gss_krb5_copy_ccache. Then KRB5CCNAME env is normally set.
The next process would use gss_acquire_cred.
>
> Thanks,
> Il-Sung.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
