By setting the impersonate flag to true, the acquisition of credentials will
be done using constrained delegation (s4uself + s4u2proxy).

To work this needs MIT Kereberos 1.11.4 or later.
Previous versions have a bug in the import_cred function that prevents the
library from properly importing previously exported delegated credentials.

Resolves: https://fedorahosted.org/gss-proxy/ticket/95

Credentials can often be used both to accept and to initiate contexts.
With this option admins can allow a specific usage only.
This is to avoid allowing an unprivileged process to fool a remote
client by allowing it to impersonate a server, when we only want to
allow this service to use credentials to initiate contexts.

Reviewed-by: Günther Deschner <gdeschner@redhat.com

The rpc.gssd daemon is changing to fork and change uid to the unprivileged
user it wants to authenticate, this means gssproxy needs to allow connection
from any euid. When this is done though, the trusted flag needs to be dropped,
if the connecting euid does not match the default trusted uid to prevent
improper impersonation.

Resolves: https://fedorahosted.org/gss-proxy/ticket/103
Reviewed-by: Günther Deschner <gdeschner@redhat.com

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

LOCAL_FIRST is our default

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

We were erroneously returning and never falling back if LOCAL_FIRST was
selected. Correct also the remote first fallback flow.

Resolves: https://fedorahosted.org/gss-proxy/ticket/105

Reviewed-by: Günther Deschner <gdeschner@redhat.com>

Resolves Coverity CID #12027.

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>