Kerberized authorization service
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Jan 29 10:59:11 EST 2008
>Heh, I understand how Kerberos works (or at least, I like to think I do),
>but my several aborted attempts to learn GSSAPI have made my brain hurt.
>The lack of a plain English introduction/explanation to the API is probably
>why Kerberos doesn't have a heck of a lot of application support.
>(Anyone else listening here?)
We also have desired a simple authorization server ... sadly, the money dried
up for it during the design phase. It would probably look like something
John is talking about (the non-SAML version), had we managed to complete it.
Regarding Kerberos/GSSAPI programming ... a few years ago I wrote a very
heavily commented "Hello, world" client and server programs as an illustration
for the Kerberos API. They're available if people are interested (I have
been told that they are helpful by others I have shown them to).
While I no fan of the GSSAPI, Russ Allbery told me once that if you suck it
up and wade through the RFCs, it's actually not too bad. I grudgingly admit
that he is correct on that one; once I sat down and started going through
the RFC I was able to write a GSS-API program without too much pain. The
trick is to read the RIGHT RFCs - the ones you need are RFC 2744 (assuming
you're writing it in C) and 2743 (for the generic API concepts). Ignore
most of the rest of them. The code I wrote for that project actually
is pretty good w.r.t. commenting, if it would be helpful to anyone else.
Although ... if I ever find out who is responsible for the mess that
is gss_display_status(), I'm going to kick them in the balls. Repeatedly.
--Ken
More information about the Kerberos
mailing list