Kerberos error codes
Dylan Klomparens
dylan.klomparens at gmail.com
Wed Apr 20 09:51:30 EDT 2016
Hello, I am writing a program that uses Kerberos. The program is intended
to be used by a service to verify client's identities. MIT's developer
documentation recommends "the GSSAPI ... for secure network communication
over using the libkrb5 API directly." This lead me to use the function
gss_accept_sec_context to verify credentials. I would like my program to be
as robust as possible, and output any error codes in an understandable way.
The gss_accept_sec_context function has a "major" error code (it's return
value) and a "minor" error code to convey Kerberos specific errors. I am
able to find plenty of documentation on the major error code. However, I am
unable to find a list of Kerberos specific error codes within GSSAPI. Does
anyone know where this might be documented? If it's not documented, I will
be happy to write the documentation and submit a pull request on Github.
My other question is, why does MIT recommend using GSSAPI over the libkrb5
API directly? From a design perspective, I'd like to minimize the number of
dependencies that my program has. By minimizing dependencies, complexity
and potential attack surface (for application security) is reduced for my
program. If my requirement is that I only need to verify service tickets
from clients, am I better off using libkrb5 directly?
Thanks,
-- Dylan Klomparens
More information about the Kerberos
mailing list