Hi, I was wondering about a use case I have when using S4U2proxy. (client->service1->service2)
The individual service tickets issued by the S4U2proxy TGS exchanges are transient and only lasts for a single request to service1 - and (more importantly) clients should be separated so a ticket (client1->service2) should not be accessible to client2. This works fine with a MEMORY ccache to hold til tickets. But since you can only provide 1 ccache to the libkrb5 API that also means the service1 has to do an AS-REQ for a TGT to put in that MEMORY ccached for every request. In reality service1 could have done fine with just having a single TGT in a persistent ccache and using that in every S4U2proxy TGS-REQ. ... but putting the resulting ticket (client->service2) in the MEMORY ccache. But AFAICS, the libkrb5 API does not allow you to specify an "input" and an "output" ccache. At a very low level, only one ccache is possible. struct _krb5_tkt_creds_context has one 1 krb5_ccache member. Is there a way to do what I'm looking for? /Peter ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
