On Wed, 2014-03-05 at 20:13 +0530, Arpit Srivastava wrote: > Hi All, > > 1. Is there any way to selectively expose service ticket and not the > TGT to the applications (which will be using GSS APIs) ? Can we store both > of them in different files and not together in single krb5cc ? > > 2. If I give away the krb5cc ( which also contains TGT) to the > application, Can application make use (for eg. obtaining service tickets > for other SPNs for malicious purposes) of its TGT part after calling > acquire_cred or any other API ? > > My usecase is as follows: > > I have a centralized service for doing kinit and storing krb5cc at an > informed path. Now, I want applications(which will load Kerberos Library) > to fetch credentials (here, I don't want to expose whole krb5cc) from this > service and use those credentials to call gss_init_sec_context() and > thereon. I want to give away only that content of credential cache (maybe > by generating service ticket using kvno) to application using which it can > establish the context etc. Can exposing whole krb5cc to the applications > prove to be insecure ? What should be the approach here. Pls let me know if > there is any specific GSS or Kerberos API that can be used here. > Help would be highly appreciated.
You could look into using GSS-Proxy to handle privilege separation: https://fedorahosted.org/gss-proxy/ however it requires the exclusive use of GSSAPI calls in the applications, no direct krb5 calls. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
