a bunch of random krb5 questions

Chris Hecker checker at d6.com
Tue Sep 27 01:42:45 EDT 2011


I'm getting krb5 up and working with my game (it's working great, both 
normal client<->server and client<->client with u2u), and have 
accumulated a bunch of questions since my last barrage:

1.  What's the difference, if any, between get_credentials with the 
CACHED flag and cc_retrieve_creds?

2.  I talk to the KDC in a dedicated thread, which has its own 
krb5_context.  Is it okay to use the krb5_creds allocated on that 
context with the main thread's context?  If not, do I need to do the KDC 
communication on its own thread, then use the ccache for moving the 
creds to the main thread?

3.  mk_req takes a krb5_data and will make a checksum from it, but I 
don't see any way to use that on the rd_req side?  Am I missing 
something, or is this just some internal thing?  Or is it the checksum 
in the authenticator you can get through krb5_auth_con_geauthenticator?

4.  Is there a way from an existing in-use auth_con to get the client 
and server princs?

5.  Does mk_priv also checksum the data, in addition to encrypting it?

6.  Do I need to rd_priv/safe every mk_priv/safe packet I get to keep 
the sequence numbers correct (DO_SEQUENCE is on the auth_con), or can I 
skip some?

7.  Why is krb5int_copy_data_contents krb5int?

8.  For u2u authn, I think the user_user sample is backwards.  In other 
words, it's always the client in a normal krb5 application that calls 
get_credentials and talks to the KDC, yet in the user_user sample that 
code is in server.c.

Thanks!
Chris





More information about the Kerberos mailing list