Krb5 API vs. GSSAPI

Frank Balluffi frank.balluffi at db.com
Wed Jan 19 13:55:30 EST 2005 

Kirill,

Users of MIT GSSAPI, which does not support SPNEGO, need to implement code 
to add SPNEGO wrapping and remove SPNEGO wrapping to and from RFC 1964 
Kerberos GSSAPI tokens.

One solution, and probably the best, is to implement gss_init_sec_context 
and gss_accept_sec_context that do this.

Another solution, which one could argue is less disciplined, is to add 
SPNEGO wrapping after calling gss_init_sec_context and remove SPNEGO 
wrapping before calling gss_accept_sec_context.

http://sourceforge.net/projects/modgssapache's modgssapache and mod_spnego 
use the latter solution, and fbopenssl contains code to add and remove 
SPNEGO wrapping using OpenSSL's ASN.1/DER engine.

Frank





Kirill Mendelev <kirill.mendelev at gmail.com>
Sent by: kerberos-bounces at MIT.EDU
01/19/2005 04:54 AM

 
        To:     kerberos at MIT.EDU
        cc: 
        Subject:        Re: Krb5 API vs. GSSAPI


Hi,

Speaking of mechanisms. I may sound silly, but I'm only beginning to dig 
into all this Kerberos/GSSAPI/SPNEGO/SPNEGO via HTTP stuff (lots of 
reading done, tons of material ahead).

Still, I've built a couple of small programs, which use GSSAPI as 
provided by MIT distribution, and it seems that the mechanisms supported 
by default do not include SPNEGO 1.3.6.1.5.5.2. I'm using the 
gss_indicate_mechs to obtain available mechanisms, and I can't find it 
inside of the set returned.

Do I miss something real important, or should I just go ahead and 
implement the SPNEGO mech by myself?

Kirill

Luke Howard wrote:
>>Is that so? I've only ever seen Kerberos being carried out over GSSAPI.
>>What others are there?
> 
> 
> Here is a list that Martin Rex of SAP posted to the ietf-kitten mailing
> list (to which I would add SPNEGO and NTLM):
> 
> ietf mechanism:         Company (Country)
> 
>     Kerberos 5             MIT, CyberSafe, CA/Platinum, Microsoft, 
heimdal
>     SPKM                   Entrust (CA), Shym (US), Baltimore (US)
> 
> proprietary mechanisms:
> 
>     AM-DCE                 Bull (FR)
>     (propr.)               Sagem (FR)
>     sdti,rsakeon,trustnet  TFS-Tech (SE) former RSA/SDTI
>     safelayer              Safelayer (SP)
>     NEC Secureware         NEC (JP)
>     itsec                  UBS/ITsec (CH)
>     Adnovum GSSv2          UBS/Adnovum (CH)
>     ISign/secui            Penta Security Systems (South Korea)
>     Sisler                 Siemens India (India)
>     cpro                   Mecomp (RU)
>     lissi                  Lissi (RU)
>     kobil                  Kobil GmbH (DE)
>     T-Secure               secunet/Telekom (DE)
> 
> -- Luke
> 
> --
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list