WS-Security and GSS-API: How do I get the session key?
Ken Raeburn
raeburn at MIT.EDU
Mon Feb 23 11:11:17 EST 2009
On Feb 23, 2009, at 04:39, Speedo wrote:
> I guess this issue had been discussed before: WS-Security negotiates
> with Kerberos 5 but uses the session key in a different way from GSS
> tokens. Since GSS-API is the public API to access Kerberos 5, is there
> any recent progress in enhancing the GSS-API to provide a function
> like gss_get_session_key()?
I wouldn't say that "GSS-API is the public API to access Kerberos 5",
though I think it's generally preferred that you write application
*protocols* to GSS-API. (Which means, among other things, not
assuming you can extract the session key and do with it what you like
-- or even assuming that there is such a thing as a "session key".)
If you write non-GSSAPI application protocols, there are still non-
GSSAPI programming interfaces....
That said, I believe the MIT 1.7 release will include an API for
extracting a session key if there is one, but no earlier release from
MIT will, and I'm not sure how portable that API will be to other
implementations.
Ken
More information about the Kerberos
mailing list