Hi All, 1. Is there any way to selectively expose service ticket and not the TGT to the applications (which will be using GSS APIs) ? Can we store both of them in different files and not together in single krb5cc ?
2. If I give away the krb5cc ( which also contains TGT) to the application, Can application make use (for eg. obtaining service tickets for other SPNs for malicious purposes) of its TGT part after calling acquire_cred or any other API ? My usecase is as follows: I have a centralized service for doing kinit and storing krb5cc at an informed path. Now, I want applications(which will load Kerberos Library) to fetch credentials (here, I don't want to expose whole krb5cc) from this service and use those credentials to call gss_init_sec_context() and thereon. I want to give away only that content of credential cache (maybe by generating service ticket using kvno) to application using which it can establish the context etc. Can exposing whole krb5cc to the applications prove to be insecure ? What should be the approach here. Pls let me know if there is any specific GSS or Kerberos API that can be used here. Help would be highly appreciated. Regards, Arpit ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
