Reuse of GSSAPI Tokens
jiva at devoesquared.com
Thu Jul 21 15:24:30 EDT 2005
I can establish multiple contexts through multiple init/accept
It's just if I wanted to do init/accept/accept/accept that I can't do
What I was hoping to accomplish was the ability to use a token by
multiple servers to authenticate a given request. (All servers would
be using the same service credential).
Given the following scenario, A and B are servers, C is a client
C creates a token using *_init_* and gives it to A to access a resource.
A verifies it's ok by passing it to *_accept_*
A now wants to pass the request from C on to B on behalf of C
(because B has some resource A doesn't have) so A forwards the token
on to B.
B verifies C's token again, and returns with some data.
Is there a "preferred" way to do this?
I imagine the preferred way might be something like:
C and A authenticate each other with A/C tokens
A and B authenticate each other with A/B Tokens
Because B trusts A, he assumes C is OK because A tells him so.
On Jul 21, 2005, at 2:38 PM, Douglas E. Engert wrote:
> Jiva DeVoe wrote:
>> Is it possible to use a token generated by the GSSAPI call
>> gss_init_sec_context call to establish more than one security
>> context via the gss_accept_sec_context call?
> No. Generically speaking with GSS, you don't know what is in the
> and the underlying mechanism may require the exchange a number of
> before returning success.
>> Meaning, can I pass a token to gss_accept more than once? In my
>> testing, it appears I can't. Subsequent calls result in an
>> invalid context. If this is the case, I'm curious how this is
>> done, since my token appears to be unchanged.
> Why do you need to do this in the first place?
> Generically speeking you should be able to establish more then one
> but you must go through the gss_init_sec_context/
> loop for each context. If the Kerberos gssapi mechanism is not letting
> you do this, then there is a problem.
>> Jiva DeVoe
>> PowerCard - Intuitive Project Management Software for Mac OS X
>> krbdev mailing list krbdev at mit.edu
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
PowerCard - Intuitive Project Management Software for Mac OS X
More information about the krbdev