Differentiate the ServiceTicket issued from Kinit vs PKinit

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Jun 3 21:36:35 EDT 2015


>Never mind. I assume the flags is inside the ticket.

Yeah, exactly.  The KDC sets the flags, so you can trust their validity.

The one big issue is that if you're programming the GSSAPI, there's
not a standardized GSSAPI function you can call to retrieve those flags,
which is unfortunate; for MIT Kerberos, there is a function called
gss_krb5_get_ticket_flags() you can use and it looks like the same thing
exists for Heimdal.

--Ken


More information about the Kerberos mailing list