API Question

Derrick Schommer dschommer at acopia.com
Wed Sep 15 13:05:43 EDT 2004 

Jason,

There is a definite order for all the major "constructs" that are used
within the krb5 API.

Here is my 2 cents based on what I've learned in the last month or so.
Not all the calls may be required for you, or you may need alternative
ones for your paradigm but here's an idea to start with:

The Kerberos context is used in 99.9% of the API calls that exist in the
library (using krb5.h).  So the krb5_init_context() is going to be one
of the first things you're going to want to work out.  Other important
calls that occur in the context initialization may be building your host
principal (HOST/myhostname at MYREALM), and generating salts with that name
(krb5_principal2salt()).  Also setting keys up correct
(krb5_c_string_to_key()) might come in handy now, because you're going
to need all that stuff setup before you can start getting user
credentials.

I then tend to build the credential cache next, because you're going to
need it for storing user's.  The krb5_cc_resolve() helps setup all your
"handles" so that you can add/remove/initialize a credential cache
later.

Next I tend to initialize anything that I need for the credentials (or
the cache itself).  Such as krb5_get_ini_creds_opt_init().  You can also
build your principal names now, such as krb5_parse_name() to make a
client principle name.  You'll notice all these routines require the
context to be passed so your krb5_init_context() call has to already
have been made.

Now you can start populating your credentials, and validating them with
such things as krb5_get_init_creds_password() or however you plan on
generating your client credentials.  Then store them in your cache with
krb5_cc_initialize() (to get your cache up and goine), and
krb5_cc_store_cred() (to put your credentials inside of it).

I hope that helps a little.  That should at least get you to where you
can use "klist" to see your newly stored credentials. :)

Also, make sure you do your homework on the correct krb5_free function
calls or your memory may leak like a '67 corvette. :)

Thanks,

Derrick
PS: I tried to get the calls in the right order for you, but I'm sure
there are at least one or two krb5 experts that can do it better then
me.  Just hope this gets your feet with with krb5.


-----Original Message-----
From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu] 
Sent: Mittwoch, 15. September 2004 12:02
To: krbdev at mit.edu
Subject: API Question

Is there a particular order in which to use the Kerberos API.  I suppose

more specifically what function calls do I need to make from start to 
finish on authenticating a user from a console application:

ex.
1. krb5_init_context()
2. krb5_auth_con_init()
3 ...???

Or is the question too vague?  What I am trying to do is write a simple 
application to retrieve a ticket for a given username /password then map

the retrieved ticket to a local account... I am having a hard time 
finding any real good documentation about this subject on the web as 
well from the provided RFC documents.

Any help or pointers is appreciated.

-- 
Jason Gerfen

"Perfect love is rare indeed - for to be a
 lover will require that you continually
 have the subtlety of the very wise, the
 flexibility of the child, the sensitivity
 of the artist, the understanding of the
 philosopher, the acceptance of the saint,
 the tolerance of the scholar and the
 fortitude of the certain."
                       ~Leo Buscaglia

_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev 
  
--------------------------------------------------------
 
DISCLAIMER:   The information contained in this e-mail is confidential and is intended solely for the review of the named addressee, and in conjunction with specific Acopia Networks business.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are unable to treat this information accordingly, or are not the intended recipient, please notify us immediately by returning the e-mail to the originator.

More information about the krbdev mailing list