GSS API and other questions

Sam Hartman hartmans at MIT.EDU
Mon Apr 15 05:19:19 EDT 2002


>>>>> "Ganesh" == Ganesh  <divyag at pacbell.net> writes:

    Ganesh> Hi, I am wondering if anybody in this group has any
    Ganesh> experience working with GSS API.

    Ganesh> I am developing a client/server program that requires that
    Ganesh> the client be authenticated to the server, and that all
    Ganesh> communication between client and server is encrypted. The
    Ganesh> requirement also dictates that my client and server be
    Ganesh> oblivious to the underlying security/authentication
    Ganesh> mechansim and protocol. Also, the program should work on
    Ganesh> windows and unix platforms.

    Ganesh> My understanding is that GSS API helps me to achieve the
    Ganesh> above mentions objectives. Is there a place where I can
    Ganesh> find a GSS library that works with both SSL and kerberos,
    Ganesh> and is available on unix and windows platform.

You cannot use SSL in conjunction with GSS.  Or rather, you cannot use
SSL as a GSSAPI mechanism.  My recommendation for your security needs
is to use SASL and TLS, much as IMAP, SMTP and LDAP do.  SASL will
allow you to take advantage of all GSSAPI technology, but will also
allow you to use (ssl-encrypted) plaintext passwords when GSSAPI is
not available.

You should look at the CMU SASL library, which works both on Windows,
Mac and Unix.  You should look at the implementations of LDAP, IMAP,
or BEEP to see how to integrate SSL and SASL together.


    Ganesh> The other question is .. Am I better of developing my own
    Ganesh> API (like GSS)

No.  Years of work have gone into SASL and GSSAPI.  We've learned from
a lot of mistakes.  The probability you'll come up with something
better in your first try is very low.



More information about the Kerberos mailing list