WS-Security and GSS-API: How do I get the session key?
Luke Howard
lukeh at padl.com
Fri Mar 6 21:01:32 EST 2009
> BTW, I read the krb5-1.7 codes and notice you're supporting some other
> OIDs for this new function:
>
> KRB5_GET_TKT_FLAGS
> KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
> KRB5_EXPORT_LUCID_SEC_CONTEXT
> KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>
> I wonder how widely they are required and whether we should also
> support them. Can you give me some background info?
These are just shims for indirecting existing mechanism-specific APIs
through the mechanism glue (so that the mechanism glue itself need not
be polluted with mechanism specific API). They correspond to:
gss_krb5_get_tkt_flags()
gsskrb5_extract_authz_data_from_sec_context()
gss_krb5_export_lucid_sec_context()
gsskrb5_extract_authtime_from_sec_context()
I think only the extract_authXXX APIs are new for 1.7. The usage for
gsskrb5_extract_authz_data_from_sec_context() identical to Heimdal:
http://www.daemon-systems.org/man/gsskrb5_extract_authz_data_from_sec_context.3.html
gsskrb5_extract_authtime_from_sec_context() gets the authtime from the
ticket.
Let me know if you have further questions.
-- Luke
More information about the Kerberos
mailing list