- How to handle mixed proxied and non-proxied credentials for one
Idea #0: Always use the proxy or no proxy. Period. Use an env var to
select mechglue config.
Idea #1: Some mechglue magic and minor constraints on the applications.
- mechglue needs to allow multiple providers to provide same
mechanisms, with GSS_Acquire/Add_cred*() trying all providers for
the desired mechanism(s) in order till one works or all fail;
- this does not work for GSS_Init/Accept_sec_context() when using
the default credential;
- for GSS_Init_sec_context() just pick one provider to be first
for default credential and let apps that want the other
provider acquire a credential handle instead of using the
default one (e.g., ssh -o GSSAPIInitiatorCredential=...);
- for GSS_Accept_sec_context() declare that all acceptor
credentials for any given mechanism must be proxied or not;
Idea #2: Use PGSS or GSS-APIv3 so we can have a caller context handle
via which to specify mechglue configuration.
- SPNEGO (any pseudo-mechanism) should not be proxied, as it will
re-enter the mechglue and call the proxy(ies) if needed (or not) as
- How to pass around ccaches ?
We simply don't.
1. For a user, we should probably deny init_sec_context initially, but if we
allow it we need to create a ccache like
The user will not have direct access to the cache.
2. For a normal service we will do the same, both accept and init contetx use
the configured keytab and the ccache will be in
3. For a trusted service we do the same as in 2. except when the service
asks us to init_sec_context as a user, in that case we will try to use the
user's ccache in /run/user/<username>/krb5cc, erroring out if it does not
exist or is expired.