How to get Kerberos token for proxy authentication

Simo Sorce simo at redhat.com
Tue Jun 4 15:15:48 EDT 2024


On Tue, 2024-06-04 at 12:31 +0000, m_a_n_j_u_s_k at yahoo.com wrote:
> Hi again,
> 
> I am looking at the implementing this (getting Kerberos service
> token) in C using Heimdal Kerberos library.
> 
> In Golang using this go package https://github.com/alexbrainman/sspi
> it was simply two calls as below:
> 
> cred=negotiate.AcquireCurrentCredentials()
> token = negotiate.NewClientContext(cred, spn)
> 
> However it looks bit complex in C using MIT/Heimdal library. I am
> looking at this example mentioned in the RFC here
> https://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1
> 
> Just checking if someone has done a similar thing and I am on the
> right track. Thank you.
> 

You are comparing a full loop with just setting up the initial context.

The two calls you have on those two lines are indeed equivalent to:

   maj = gss_acquire_cred(&min, acceptor_name, GSS_C_INDEFINITE,
   desired_mechs, cred_usage, creds,
   actual_mechs, NULL);
   
and

   maj = gss_init_sec_context(min, init_cred, &init_ctx,
   accept_name, mech_type, GSS_C_DELEG_FLAG,
   req_lifetime, GSS_C_NO_CHANNEL_BINDINGS,
   &accept_token, NULL, &init_token, NULL,
   NULL);


Where all those variables are set to default values.
Of course this is missing all error handling, and, if you use defaults
it will miss many nuances.

As Ken suggested you should look at real examples, libcurl may be a
way, I can also suggest this library of mine:
ttps://github.com/gssapi/mod_auth_gssapi/blob/master/src/mod_auth_gssap
i.c

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc


More information about the Kerberos mailing list