d0a066023b
Rpc.gssd or other applications may use the cache configured with default_ccache_name(krb5. conf). If the cache file of gssproxy (cred_store=ccache: FILE: xxxxxx) is deleted, the gssproxy service returns an empty credential when processing a GSSX_ARG-ACQUIRE_CRED request, unless the user clears the default_ccache_name cache. However, users may not even be aware of the existence of the default_ccache_name cache. In this situation, it may be better for gssproxy to try to obtain new credentials. Signed-off-by: yixiangzhike <yixiangzhike007@163.com> |
||
|---|---|---|
| .github/workflows | ||
| contrib | ||
| docs | ||
| examples | ||
| external | ||
| man | ||
| po | ||
| rpcgen | ||
| src | ||
| systemd | ||
| tests | ||
| x-files | ||
| .gitignore | ||
| BUILD.txt | ||
| build_macros.m4 | ||
| conf_macros.m4 | ||
| configure.ac | ||
| COPYING | ||
| Makefile.am | ||
| NOTES | ||
| README.md | ||
| STYLE.txt | ||
| version.m4 | ||
This is the gss-proxy project.
Documentation lives in the docs folder of this repository.
The goal is to have a GSS-API proxy, with standardizable protocol and a (somewhat portable) reference client and server implementation. There are several motivations for this some of which are:
-
Kernel-mode GSS-API applications (CIFS, NFS, AFS, ...) need to be able to leave all complexity of GSS_Init/Accept_sec_context() out of the kernel by upcalling to a daemon that does all the dirty work.
-
Isolation and privilege separation for user-mode applications. For example: letting HTTP servers use but not see the keytabe entries for HTTP/* principals for accepting security contexts.
-
Possibly an ssh-agent-like SSH agent for GSS credentials -- a gss-agent.
gss-proxy uses libverto for dealing with event loops. Note that you need to have at least one libverto event library installed (e.g. libverto-tevent).
We have a mailing list and an IRC channel (#gssapi on libera.chat).