curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Does libcurl support Kerberos constrained delegation?

From: Isaac Boukris <iboukris_at_gmail.com>
Date: Mon, 9 Jul 2018 09:45:52 +0300

On Mon, Jul 9, 2018, 05:30 Sachin Nikumbh <sanikumbh_at_gmail.com> wrote:

> Hi,
>
>
>
> I am looking at libcurl’s support on Kerberos delegation.
>
> The only thing I found is CURLOPT_GSSAPI_DELEGATION added in 7.22.0.
>
> https://curl.haxx.se/libcurl/c/CURLOPT_GSSAPI_DELEGATION.html
>
> However, there are several issues with this option:
>
> 1. Looks like this option is for the original Kerberos v5 delegation
> (unconstrained delegation for any services), not the Microsoft Kerberos
> protocol extension for constrained delegation.
> 2. It’s using GSSAPI. So does it work natively on Windows with SSPI?
>
>
>
> The preferred way to do Kerberos delegation is to do protocol transition
> (S4U2Self) and Constrained delegation (S4U2Proxy).
>
> https://msdn.microsoft.com/en-us/library/cc246071.aspx
>
> https://k5wiki.kerberos.org/wiki/Projects/Services4User
>
>
>
> Is this supported in libcurl?
>
> If not, is there any plan to support it?
>

It doesn't have much to do with libcurl, if the contains the delegated
credentials (e.g. acquired via gss_acquire_cred_impersonate_name) they will
be used by the gssapi library when invoked by libcurl.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-07-09