Hi Greg I am the product manager of the Single Sign-on solution Airlock. We are interested in adding support for resource based Kerberos constrained delegation (RBKCD) to our solution but currently miss the corresponding feature in krb5-libs. You have been discussing this before with Stefan Dietiker (see below). Therefore, I’d like to ask a couple of questions:
- According to your experience, what’s the estimated effort for adding RBKCD to krb5-libs? - Is RBKCD somewhere on the roadmap? - Is there a way of sponsoring a feature? Thanks in advance for your time Best regards Martin -- Dr. Martin Burkhart Head of Product Management Application Security https://www.airlock.com martin.burkh...@ergon.ch +41 44 268 83 27 Ergon Informatik AG, Merkurstrasse 43, CH-8032 Zürich http://www.ergon.ch ______________________________________________________________ e r g o n smart people - smart software > -----Ursprüngliche Nachricht----- > Von: Greg Hudson [mailto:ghud...@mit.edu] > Gesendet: Dienstag, 28. Juni 2016 16:59 > An: Stefan Dietiker <stefan.dieti...@ergon.ch>; kerberos@mit.edu > Betreff: Re: AW: Resource based kerberos constrained delegation > > On 06/28/2016 06:03 AM, Stefan Dietiker wrote: >> A few months ago I have asked you whether it is possible with >> krb5-libs to do Resource Based Kerberos Constrained Delegation or not. >> You mentioned that the Kerberos libs does not include the >> PA-PAC-OPTIONS which are required for this purpose. Recently I was >> tracking the changes in the git repo and realized that a new option > "--request-pac" is available. > > I don't believe this change bears any relation to resource based > constrained delegation. PA-PAC-REQUEST is different from PA-PAC-OPTIONS. > > (I would also assume there is substantially more to implementing resource > based constrained delegation on the client than just sending the > PA-PAC-OPTIONS bit, or there would be no reason to have the bit in the > protocol.) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
