GSS-APIv2 Extension for Storing Delegated Credentials

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

I just posted the following I-D, which I think the KRB WG and
implementors of draft-ietf-secsh-gsskeyex may find interesting:

http://www.ietf.org/internet-drafts/draft-williams-gssapi-store-deleg-creds-00.txt

"
Abstract

   This document defines a new function for the GSS-API which allows
   applications to store delegated (and other) credentials in the
   implicit GSS-API credential store.  This is needed for GSS-API
   applications to use delegated credentials as they would use other
   credentials.
"

Currently, any implementation of SSHv2 w/ gssapi userauth or keyex has
to have some trouble dealing with delegated credentials, or the platform
it runs on must make some annoying assumptions.

For example, Simon Wilkinson's patches to OpenSSH require the use of
interfaces that are internal to Heimdal, MIT krb5 or GSI in order to do
anything useful with delegated credentials.

The only ways, that I can see, to remove this use of internal interfaces
are:

 - don't use delegated creds

 - have the GSS-API make the creds available only for the user account
   that is primariliy associated with the principal name of the
   delegated creds (but this means that the deleg creds won't be
   available when logging in to a different user account)

 - extend the GSS-API to correct the delegated credentials uselessness
   wrinkle

This I-D proposes a simple extension to the GSS-API that allows acceptor
applications to make delegated credentials available for acquisition and
use to other processes sharing a given "credential store."

[Note that the notion of "credential store" is implicit, as described in
 the I-D, in rfcs 2743 and 2744.]


Cheers,

Nico
--