One more question WRT gssapi...
jiva at devoesquared.com
Tue Jul 26 22:13:53 EDT 2005
I have a long-running service... (like an ftp server, or a web server
or whatever, though it's a program I am writing myself)... and users
will access it using a client program (like an ftp client).
Now I assume the user would kinit prior to running the client
program, so I can see how that works. But in the case of the server,
I am confused about how the server process gains it's initial TGT.
I understand that I can use a keytab file for the server process, but
doesn't it still need to call kinit (say in it's startup script)
prior to calling gss_acquire_cred() ?
Is there an API call for that kinit? In my program, I've been
calling the kinit cmd line program prior to running the program. Do
I need to put that into my startup script? (This is all on Linux BTW).
On an unrelated note: Is it possible for a server process to have
multiple TGT for different principals? (Why? For unit tests for my
code - simulating the user client process/credentials and the server
On Jul 26, 2005, at 6:02 PM, Jeffrey Altman wrote:
> Why don't you explain to us what you are attempting to accomplish?
> Does one of your two endpoints represent an end-user?
> Or are both of your endpoints services that represent machines?
> When using GSSAPI Kerberos, the initiator of the authentication must
> have an initial credential (aka a Ticket Granting Ticket) prior to
> the call to gss_acquire_cred() or gss_init_context(). If the
> represents an end user, the user typically obtains a TGT either a
> or via a kinit call. The user provides her principal name and a
> password or smart card or another form of proof of identity and the
> Kerberos KDC issues an initial TGT to the user.
> If the initiator does not represent a user or is running as a detached
> long term background process, the process may be given access to a
> keytab containing the long term key for the initiators principal.
> keytab is then used with a kinit call to obtain an initial TGT.
> The TGT is used during the gss_init_context() call to obtain a
> service ticket for the service you are attempting to authenticate to.
> Jeffrey Altman
> Jiva DeVoe wrote:
>> Is this documented somewhere I can read up on it? I clearly don't
>> understand the inner workings of this, and I'd like to.
>> On Jul 26, 2005, at 5:17 PM, Nicolas Williams wrote:
>>> On Tue, Jul 26, 2005 at 05:04:07PM -0400, Jiva DeVoe wrote:
>>>> Hmm, my tests do not bare this out...
>>>> Specifically, I find I MUST issue a kinit -t /etc/krb5.keytab
>>>> host at foo.com before attempting running my application which then
>>>> a gss_acquire_cred.
>>>> Is this correct?
>>> For an initiator cred, yes.
>> Jiva DeVoe
>> PowerCard - Intuitive Project Management Software for Mac OS X
>> krbdev mailing list krbdev at mit.edu
PowerCard - Intuitive Project Management for Mac OS X
More information about the krbdev