<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>FW: Talking with Kerberized services using GSS-API</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Hope you don't mind me chiming in, I've been wrestling with similar</FONT>
<BR><FONT SIZE=2>issues myself. From what I understand GSSAPI is superior, which is a</FONT>
<BR><FONT SIZE=2>mechanism provided by SASL. "The Kerberos authentication method is </FONT>
<BR><FONT SIZE=2>deprecated, however, since superior Kerberos functionality is provided </FONT>
<BR><FONT SIZE=2>by SASL. " - <A HREF="http://www.linux-mag.com/2002-03/guru_02.html" TARGET="_blank">http://www.linux-mag.com/2002-03/guru_02.html</A></FONT>
<BR><FONT SIZE=2>Hopefully this helps to answer things?</FONT>
</P>
<P><FONT SIZE=2>Secondly, I understand SASL can offer up one mechanism (GSSAPI) on a </FONT>
<BR><FONT SIZE=2>session and an additional session/mechanism such as EXTERNAL.</FONT>
<BR><FONT SIZE=2>Why not provide for future flexibility? If I can offer up PKI via EXTERNAL </FONT>
<BR><FONT SIZE=2>in addition to GSSAPI does it defeat the purpose of PKINIT? I believe their </FONT>
<BR><FONT SIZE=2>is a lot to be said for the SASL (GSSAPI) layer in the design of any API.</FONT>
</P>
<P><FONT SIZE=2>I'm just exploring this area and hopefully not off the thread, why wouldn't</FONT>
<BR><FONT SIZE=2>one write to the GSSAPI API? Thoughts?</FONT>
</P>
<P><FONT SIZE=2>cs</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Wyllys Ingersoll [<A HREF="mailto:wyllys.ingersoll@sun.com">mailto:wyllys.ingersoll@sun.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Friday, October 18, 2002 7:15 AM</FONT>
<BR><FONT SIZE=2>To: Christian</FONT>
<BR><FONT SIZE=2>Cc: kerberos@mit.edu</FONT>
<BR><FONT SIZE=2>Subject: Re: Talking with Kerberized services using GSS-API</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>GSSAPI apps cannot communicate directly with apps that only</FONT>
<BR><FONT SIZE=2>speak raw Kerberos (and vice-versa).</FONT>
</P>
<P><FONT SIZE=2>The purpose of GSSAPI is to abstract the security mechanism</FONT>
<BR><FONT SIZE=2>so that the applications are not locked into a specific mechanism.</FONT>
<BR><FONT SIZE=2>Thus from a programming point of view, the client and server</FONT>
<BR><FONT SIZE=2>do not ever make any direct calls to the Kerberos API.</FONT>
<BR><FONT SIZE=2>The client may tell the server that it wishes to use Kerberos</FONT>
<BR><FONT SIZE=2>by specifying the Kerberos_V5 OID value in the initial</FONT>
<BR><FONT SIZE=2>token exchanges (gss_init_sec_context, etc).</FONT>
</P>
<P><FONT SIZE=2>The on-the-wire GSSAPI protocol is quite different from</FONT>
<BR><FONT SIZE=2>Kerberos, thus the incompatibilities. The RFCs (2743, 2744)</FONT>
<BR><FONT SIZE=2>provide alot more information and detail than I can give you in a</FONT>
<BR><FONT SIZE=2>brief response here, but what you are trying to do will</FONT>
<BR><FONT SIZE=2>never work.</FONT>
</P>
<P><FONT SIZE=2>-Wyllys</FONT>
</P>
<P><FONT SIZE=2>Christian wrote:</FONT>
<BR><FONT SIZE=2>> "Christian" <cgregoir99@yahoo.com> wrote in message</FONT>
<BR><FONT SIZE=2>> <A HREF="news:3dafbb25$0$210$4d4eb98e@read.news.fr.uu.net" TARGET="_blank">news:3dafbb25$0$210$4d4eb98e@read.news.fr.uu.net</A>...</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>>>Hello guys,</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>>I want my application to be able to talk with services secured with</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Kerberos</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>>>(telnetd for instance). I've started to have a look at MIT's GSS-API</FONT>
<BR><FONT SIZE=2>>>examples, but I'm wondering : is it compatible ? I mean, can my app</FONT>
<BR><FONT SIZE=2>>>developped with GSS-API talk to services like MIT Kerberos telnetd ?</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>>Looking at the gss-client and gss-sserver examples, they have their own</FONT>
<BR><FONT SIZE=2>>>implementation of token handling. The GSS-API Programming Guide by SUN</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> says</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>>>that it it the responsability of the application to send and receive</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> tokens</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>>>and manipulate them according to their type.</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>>So am I going the right way or should I switch to Kerberos APIs ?</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>>Thanks.</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>>Christian.</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> I've tried to use sserver example (K5 API) along with gss-client example and</FONT>
<BR><FONT SIZE=2>> it fails at context initialization. At one step, the client has sent tokens</FONT>
<BR><FONT SIZE=2>> and wait for the server to reply. The server runs krb5_recvauth but this</FONT>
<BR><FONT SIZE=2>> function never returns, data sent by the client not being in the right</FONT>
<BR><FONT SIZE=2>> format i suppose.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> I guess this is not supposed to work Is it the answer to my question, that</FONT>
<BR><FONT SIZE=2>> K5 API and GSS-API are not compatible ?</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Christian.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> ________________________________________________</FONT>
<BR><FONT SIZE=2>> Kerberos mailing list Kerberos@mit.edu</FONT>
<BR><FONT SIZE=2>> <A HREF="http://mailman.mit.edu/mailman/listinfo/kerberos" TARGET="_blank">http://mailman.mit.edu/mailman/listinfo/kerberos</A></FONT>
</P>
<BR>
<P><FONT SIZE=2>________________________________________________</FONT>
<BR><FONT SIZE=2>Kerberos mailing list Kerberos@mit.edu</FONT>
<BR><FONT SIZE=2><A HREF="http://mailman.mit.edu/mailman/listinfo/kerberos" TARGET="_blank">http://mailman.mit.edu/mailman/listinfo/kerberos</A></FONT>
</P>
</BODY>
</HTML>