Kerberos: The Definitive Guide now available

Dick Joltes djoltes at
Thu Aug 21 12:15:55 EDT 2003

Wyllys said:

>Im not sure how much of the Kerberos API is considered "stable" (i.e.
>not subject to change from revision to revision).  Writing a book
>about the API as it stands today in 1.3 might be out-of-date in a
>year or whenever 1.4 comes out.
>The API is not-standard, it is not specified by any RFC, thus its harder
>to document it definitively.

True enough, but at least one site I've seen discriminates between the
(unstable) internal functions and the (hopefully more stable) exposed
API.  The exposed stuff must be more stable since there are people out
there writing applications against it and using others that have been
around for a while.  I wouldn't attempt to document internals except
to say "use this at your own risk."

>Microsoft documented much of what you are asking about recently.
>I don't have a link handy, but you can search for it on MSDN website
>or maybe someone reading this list will post it.

Maybe this is the URL you're thinking of:

>Most of what you are doing would be done via the GSSAPI interface
>and should not involve writing to the KRB5 API at all.  SPNEGO is
>a GSSAPI mechanism, but there currently are not any open source
>SPNEGO implementations that I'm aware of.

Take a look at

Dick Joltes
Staff Software Engineer, IBM Pittsburgh/IBM Austin
DCE L3 Maintenance Team
djoltes at or djoltes at

More information about the Kerberos mailing list