Talking with Kerberized services using GSS-API

Fri Oct 18 09:30:20 EDT 2002

"Wyllys Ingersoll" <wyllys.ingersoll at sun.com> wrote in message
news:3DAFFB4A.6030305 at sun.com...
>
> GSSAPI apps cannot communicate directly with apps that only
> speak raw Kerberos (and vice-versa).
>
> The purpose of GSSAPI is to abstract the security mechanism
> so that the applications are not locked into a specific mechanism.
> Thus from a programming point of view, the client and server
> do not ever make any direct calls to the Kerberos API.
> The client may tell the server that it wishes to use Kerberos
> by specifying the Kerberos_V5 OID value in the initial
> token exchanges (gss_init_sec_context, etc).
>
> The on-the-wire GSSAPI protocol is quite different from
> Kerberos, thus the incompatibilities.   The RFCs (2743, 2744)
> provide alot more information and detail than I can give you in a
> brief response here, but what you are trying to do will
> never work.
>
> -Wyllys
>
> Christian wrote:
> > "Christian" <cgregoir99 at yahoo.com> wrote in message
> > news:3dafbb25$0$210$4d4eb98e at read.news.fr.uu.net...
> >
> >>Hello guys,
> >>
> >>I want my application to be able to talk with services secured with
> >
> > Kerberos
> >
> >>(telnetd for instance). I've started to have a look at MIT's GSS-API
> >>examples, but I'm wondering : is it compatible ? I mean, can my app
> >>developped with GSS-API talk to services like MIT Kerberos telnetd ?
> >>
> >>Looking at the gss-client and gss-sserver examples, they have their own
> >>implementation of token handling. The GSS-API Programming Guide by SUN
> >
> > says
> >
> >>that it it the responsability of the application to send and receive
> >
> > tokens
> >
> >>and manipulate them according to their type.
> >>
> >>So am I going the right way or should I switch to Kerberos APIs ?
> >>
> >>Thanks.
> >>
> >>Christian.
> >>
> >
> >
> > I've tried to use sserver example (K5 API) along with gss-client example
and
> > it fails at context initialization. At one step, the client has sent
tokens
> > and wait for the server to reply. The server runs krb5_recvauth but this
> > function never returns, data sent by the client not being in the right
> > format i suppose.
> >
> > I guess this is not supposed to work Is it the answer to my question,
that
> > K5 API and GSS-API are not compatible ?
> >
> > Christian.
> >

First of all, thanks for your answer Wyllys.

OK, let's say I want my app to talk to a mail server which is secured. Does
that mean that i first need to know the method used to implement it, before
talking to it with the right interface? GSS-API or KV5 API ? Or even SASL ?
Speaking about SASL, i guess the problem is the same since i recall to have
read that you have to provide it with the underlying auth method to be used.

To this point, I just want an advice: if my above guess is right, should I
be using SASL API, just having to indicate it the method to use ?

Christian.