Iterate over server credentials

Benjamin Kaduk kaduk at mit.edu
Wed Mar 22 21:19:59 EDT 2017


On Wed, Mar 22, 2017 at 03:48:21PM -0400, Dylan Klomparens wrote:
> Hello,
> 
> I'm writing a program that accepts Kerberos authentication using the
> GSSAPI. The program acquires credentials using gss_acquire_cred_from() with
> a keytab specified, and this is working properly. The keytab has multiple
> principals stored in it. I want to output all the principals that were
> acquired, so I tried to use gss_inquire_cred() to find out and
> gss_display_name() to print them. This allows me to output the first
> principal in the keytab, but only the first one. Is there a way to output
> all of them? How can I iterate through all the principals acquired from a
> single keytab and output their names?

RFC 2743 is pretty clear that a GSS credential handle can represent
only a single (named) entity, though it may have credentials for
that entity with multiple mechanisms.  Since there is only one
GSS name associated with the credential; there is no need to
iterate.

That said, for the case where the kerberos keytab in question is the
default location (/etc/krb5.keytab, or what is specified by the
KRB5KTNAME environment variable), gss_accept_sec_context() with
GSS_C_NO_CREDENTIAL as the acceptor credential handle will
automatically search through all identities in the keytab and use
any of them, if they match the message from the client.

> Once I accept a security context, the program is authenticating correctly,
> so it stands to reason that I'm legitimately acquiring multiple credentials
> from the same keytab.

What you have said here is not enough information to establish your
conclusion.  How do we know what names the initiators are trying to
use to contact the service?

-Ben


More information about the Kerberos mailing list