WS-Security and GSS-API: How do I get the session key?

Luke Howard lukeh at padl.com
Fri Mar 6 21:01:32 EST 2009


> BTW, I read the krb5-1.7 codes and notice you're supporting some other
> OIDs for this new function:
>
>  KRB5_GET_TKT_FLAGS
>  KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
>  KRB5_EXPORT_LUCID_SEC_CONTEXT
>  KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>
> I wonder how widely they are required and whether we should also
> support them. Can you give me some background info?

These are just shims for indirecting existing mechanism-specific APIs  
through the mechanism glue (so that the mechanism glue itself need not  
be polluted with mechanism specific API). They correspond to:

gss_krb5_get_tkt_flags()
gsskrb5_extract_authz_data_from_sec_context()
gss_krb5_export_lucid_sec_context()
gsskrb5_extract_authtime_from_sec_context()

I think only the extract_authXXX APIs are new for 1.7. The usage for  
gsskrb5_extract_authz_data_from_sec_context() identical to Heimdal:

http://www.daemon-systems.org/man/gsskrb5_extract_authz_data_from_sec_context.3.html

gsskrb5_extract_authtime_from_sec_context() gets the authtime from the  
ticket.

Let me know if you have further questions.

-- Luke



More information about the Kerberos mailing list