Thanks Greg for your comments. That is the problem now. How to separate service tickets from the TGT so as to copy it (only) to the different cache ? It would be great if you can give some pointers.
Best, Arpit On Wed, Mar 5, 2014 at 8:59 PM, Greg Hudson <[email protected]> wrote: > On 03/05/2014 09:43 AM, Arpit Srivastava wrote: > > 1. Is there any way to selectively expose service ticket and not the > > TGT to the applications (which will be using GSS APIs) ? Can we store > both > > of them in different files and not together in single krb5cc ? > > You could copy the service ticket into a different ccache and expose > only that to the application. GSSAPI applications will work fine if > they have a service ticket and no TGT. > There are no GSS functions for doing this kind of selective copying; you > would have to use ccache functions from libkrb5, or use kinit -S (or > equivalent) to avoid getting a TGT in the first place. > > > 2. If I give away the krb5cc ( which also contains TGT) to the > > application, Can application make use (for eg. obtaining service tickets > > for other SPNs for malicious purposes) of its TGT part after calling > > acquire_cred or any other API ? > > Yes, if you expose a TGT to an application then it could use that to > obtain any service ticket. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
