Is it required to use GSSAPI code for the Kerberos Server Auth?

Richard E. Silverman res at
Tue Mar 21 23:20:06 EST 2006

> I am working on SA (Server Authentication) feature of Kerberos.
> - Is it required to port GSSAPI code for this feature of SA?

This question is not clearly connected to your goal.  "Porting" is only
required if your platform doesn't have GSSAPI libraries and you need to
compile them from source.  Using GSS is not required to use Kerberos, but
it is the usual API employed these days.

> - If so, where should I use this mechansim in kerberos client code? That
> means, between TGS_REP and AP_REQ?

The basic Kerberos authentication exchange identifies the client to the
server.  If you want server authentication as well, then from RFC 4120:
 "... if mutual authentication (authenticating not only the client to the
  server, but also the server to the client) is being performed, the
  KRB_AP_REQ message will have MUTUAL-REQUIRED set in its ap-options
  field, ..."

> - What is the exact procedure to use the GSSAPI code?

This is much too specific to ask here.  See various easily findable guides
on GSSAPI programming, and many examples in open source software, e.g. the
Debian build of OpenSSH, or these patches:

> POINT#2:
> ----------
> I tried by sending AP_REQ to SMTP server successfuly but I could not
> recevice the AP_REP successfuly. I think AP_REQ packet is not properly
> understood by SMTP server since I have not been using the GSSAPI code in my
> implementation. So should I port the GSSAPI code in to my code base and do
> SA??

I'm not sure I understand you -- but if you've been implementing the
Kerberos protocol from scratch so far, then yes, I suggest you use GSSAPI
instead; all the hard work is done for you.

  Richard Silverman
  res at

More information about the Kerberos mailing list