cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Option to specify Kerberos credential-cache when used via GSSAPI

From: Isaac Boukris <iboukris_at_gmail.com>
Date: Thu, 24 Mar 2016 01:57:28 +0200

Hi Steve,

On Wed, Mar 23, 2016 at 9:30 PM, Steve Holme <steve_holme_at_hotmail.com> wrote:
> It has been on my TODO list for a while but I would like to see specific
> user support as well (for -u user) like SSPI can do - is that something that
> the credentials-cache can help with or are the two totally separate?

It could help in a way, as it will allow credentials acquired with
different passwords to be saved in different ccache.
However, acquiring credentials with password is complicated (but
possible) due to caching of krb5 tickets and to mechanism specific
aspects.

> I would recommend specific options for specific roles rather than trying to
> introduce a generic key-value pair mechanism would might be complicated to
> use from one, other or both curl and libcurl.
>
>
>
> Additionally, would this proposed functionality:
>
>
>
> * Include HTTP SPNego (Negotiate) via GSS-API as well or just Kerberos 5?
>
> * Be for krb5.c - as used in FTP
>
> * Be for the SASL Kerberos 5 implementation - currently curl_sasl_gsspi.c
> although shortly about to change)
>
> * Include Kerberos 5 Socks 5 proxy authentication - in socks_gssapi.c

Yes, it should include all the above as they use Curl_gss_init_sec_context.

Thanks for your comments!
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-03-24