On 03/05/2014 09:43 AM, Arpit Srivastava wrote: > 1. Is there any way to selectively expose service ticket and not the > TGT to the applications (which will be using GSS APIs) ? Can we store both > of them in different files and not together in single krb5cc ?
You could copy the service ticket into a different ccache and expose only that to the application. GSSAPI applications will work fine if they have a service ticket and no TGT. There are no GSS functions for doing this kind of selective copying; you would have to use ccache functions from libkrb5, or use kinit -S (or equivalent) to avoid getting a TGT in the first place. > 2. If I give away the krb5cc ( which also contains TGT) to the > application, Can application make use (for eg. obtaining service tickets > for other SPNs for malicious purposes) of its TGT part after calling > acquire_cred or any other API ? Yes, if you expose a TGT to an application then it could use that to obtain any service ticket. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
