API Question

Jason Gerfen jason.gerfen at scl.utah.edu
Wed Sep 15 12:59:20 EDT 2004

Mr. Schommer,
Thanks a ton, you have got me pointed in the right direction.

Derrick Schommer wrote:

>There is a definite order for all the major "constructs" that are used
>within the krb5 API.
>Here is my 2 cents based on what I've learned in the last month or so.
>Not all the calls may be required for you, or you may need alternative
>ones for your paradigm but here's an idea to start with:
>The Kerberos context is used in 99.9% of the API calls that exist in the
>library (using krb5.h).  So the krb5_init_context() is going to be one
>of the first things you're going to want to work out.  Other important
>calls that occur in the context initialization may be building your host
>principal (HOST/myhostname at MYREALM), and generating salts with that name
>(krb5_principal2salt()).  Also setting keys up correct
>(krb5_c_string_to_key()) might come in handy now, because you're going
>to need all that stuff setup before you can start getting user
>I then tend to build the credential cache next, because you're going to
>need it for storing user's.  The krb5_cc_resolve() helps setup all your
>"handles" so that you can add/remove/initialize a credential cache
>Next I tend to initialize anything that I need for the credentials (or
>the cache itself).  Such as krb5_get_ini_creds_opt_init().  You can also
>build your principal names now, such as krb5_parse_name() to make a
>client principle name.  You'll notice all these routines require the
>context to be passed so your krb5_init_context() call has to already
>have been made.
>Now you can start populating your credentials, and validating them with
>such things as krb5_get_init_creds_password() or however you plan on
>generating your client credentials.  Then store them in your cache with
>krb5_cc_initialize() (to get your cache up and goine), and
>krb5_cc_store_cred() (to put your credentials inside of it).
>I hope that helps a little.  That should at least get you to where you
>can use "klist" to see your newly stored credentials. :)
>Also, make sure you do your homework on the correct krb5_free function
>calls or your memory may leak like a '67 corvette. :)
>PS: I tried to get the calls in the right order for you, but I'm sure
>there are at least one or two krb5 experts that can do it better then
>me.  Just hope this gets your feet with with krb5.
>-----Original Message-----
>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu] 
>Sent: Mittwoch, 15. September 2004 12:02
>To: krbdev at mit.edu
>Subject: API Question
>Is there a particular order in which to use the Kerberos API.  I suppose
>more specifically what function calls do I need to make from start to 
>finish on authenticating a user from a console application:
>1. krb5_init_context()
>2. krb5_auth_con_init()
>3 ...???
>Or is the question too vague?  What I am trying to do is write a simple 
>application to retrieve a ticket for a given username /password then map
>the retrieved ticket to a local account... I am having a hard time 
>finding any real good documentation about this subject on the web as 
>well from the provided RFC documents.
>Any help or pointers is appreciated.

Jason Gerfen
Student Computing
Marriott Library
jason.gerfen at scl.utah.edu

"Perfect love is rare indeed - for to be a
 lover will require that you continually
 have the subtlety of the very wise, the
 flexibility of the child, the sensitivity
 of the artist, the understanding of the
 philosopher, the acceptance of the saint,
 the tolerance of the scholar and the
 fortitude of the certain."
                       ~Leo Buscaglia

More information about the krbdev mailing list