WS-Security and GSS-API: How do I get the session key?

Max (Weijun) Wang Weijun.Wang at Sun.COM
Sun Mar 8 22:45:50 EDT 2009


> gss_krb5_get_tkt_flags()
> gsskrb5_extract_authz_data_from_sec_context()
> gsskrb5_extract_authtime_from_sec_context()

I guess the tkt or authXXX above are all for the intial TGT (instead  
of any service ticket). Right?

Thanks
Weijun

On Mar 7, 2009, at 10:01 AM, Luke Howard wrote:

>> BTW, I read the krb5-1.7 codes and notice you're supporting some  
>> other
>> OIDs for this new function:
>>
>> KRB5_GET_TKT_FLAGS
>> KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
>> KRB5_EXPORT_LUCID_SEC_CONTEXT
>> KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>>
>> I wonder how widely they are required and whether we should also
>> support them. Can you give me some background info?
>
> These are just shims for indirecting existing mechanism-specific  
> APIs through the mechanism glue (so that the mechanism glue itself  
> need not be polluted with mechanism specific API). They correspond to:
>
> gss_krb5_get_tkt_flags()
> gsskrb5_extract_authz_data_from_sec_context()
> gss_krb5_export_lucid_sec_context()
> gsskrb5_extract_authtime_from_sec_context()
>
> I think only the extract_authXXX APIs are new for 1.7. The usage for  
> gsskrb5_extract_authz_data_from_sec_context() identical to Heimdal:
>
> http://www.daemon-systems.org/man/gsskrb5_extract_authz_data_from_sec_context.3.html
>
> gsskrb5_extract_authtime_from_sec_context() gets the authtime from  
> the ticket.
>
> Let me know if you have further questions.
>
> -- Luke




More information about the Kerberos mailing list