FW: Talking with Kerberized services using GSS-API

STEWARD, Curtis (Jamestown) Curtis.Steward at trw.com
Fri Oct 18 08:47:57 EDT 2002


Hope you don't mind me chiming in, I've been wrestling with similar
issues myself.  From what I understand GSSAPI is superior, which is a
mechanism provided by SASL.  "The Kerberos authentication method is 
deprecated, however, since superior Kerberos functionality is provided 
by SASL. " - http://www.linux-mag.com/2002-03/guru_02.html
Hopefully this helps to answer things?

Secondly, I understand SASL can offer up one mechanism (GSSAPI) on a 
session and an additional session/mechanism such as EXTERNAL.
Why not provide for future flexibility?  If I can offer up PKI via EXTERNAL 
in addition to GSSAPI does it defeat the purpose of PKINIT?  I believe their

is a lot to be said for the SASL (GSSAPI) layer in the design of any API.

I'm just exploring this area and hopefully not off the thread, why wouldn't
one write to the GSSAPI API?  Thoughts?

cs

-----Original Message-----
From: Wyllys Ingersoll [mailto:wyllys.ingersoll at sun.com]
Sent: Friday, October 18, 2002 7:15 AM
To: Christian
Cc: kerberos at mit.edu
Subject: Re: Talking with Kerberized services using GSS-API



GSSAPI apps cannot communicate directly with apps that only
speak raw Kerberos (and vice-versa).

The purpose of GSSAPI is to abstract the security mechanism
so that the applications are not locked into a specific mechanism.
Thus from a programming point of view, the client and server
do not ever make any direct calls to the Kerberos API.
The client may tell the server that it wishes to use Kerberos
by specifying the Kerberos_V5 OID value in the initial
token exchanges (gss_init_sec_context, etc).

The on-the-wire GSSAPI protocol is quite different from
Kerberos, thus the incompatibilities.   The RFCs (2743, 2744)
provide alot more information and detail than I can give you in a
brief response here, but what you are trying to do will
never work.

-Wyllys

Christian wrote:
> "Christian" <cgregoir99 at yahoo.com> wrote in message
> news:3dafbb25$0$210$4d4eb98e at read.news.fr.uu.net...
> 
>>Hello guys,
>>
>>I want my application to be able to talk with services secured with
> 
> Kerberos
> 
>>(telnetd for instance). I've started to have a look at MIT's GSS-API
>>examples, but I'm wondering : is it compatible ? I mean, can my app
>>developped with GSS-API talk to services like MIT Kerberos telnetd ?
>>
>>Looking at the gss-client and gss-sserver examples, they have their own
>>implementation of token handling. The GSS-API Programming Guide by SUN
> 
> says
> 
>>that it it the responsability of the application to send and receive
> 
> tokens
> 
>>and manipulate them according to their type.
>>
>>So am I going the right way or should I switch to Kerberos APIs ?
>>
>>Thanks.
>>
>>Christian.
>>
> 
> 
> I've tried to use sserver example (K5 API) along with gss-client example
and
> it fails at context initialization. At one step, the client has sent
tokens
> and wait for the server to reply. The server runs krb5_recvauth but this
> function never returns, data sent by the client not being in the right
> format i suppose.
> 
> I guess this is not supposed to work Is it the answer to my question, that
> K5 API and GSS-API are not compatible ?
> 
> Christian.
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/kerberos/attachments/20021018/fa048d39/attachment.htm


More information about the Kerberos mailing list