One more question WRT gssapi...
tlyu at MIT.EDU
Tue Jul 26 22:20:42 EDT 2005
>>>>> "jiva" == Jiva DeVoe <jiva at devoesquared.com> writes:
jiva> I have a long-running service... (like an ftp server, or a web server
jiva> or whatever, though it's a program I am writing myself)... and users
jiva> will access it using a client program (like an ftp client).
jiva> Now I assume the user would kinit prior to running the client
jiva> program, so I can see how that works. But in the case of the server,
jiva> I am confused about how the server process gains it's initial TGT.
jiva> I understand that I can use a keytab file for the server process, but
jiva> doesn't it still need to call kinit (say in it's startup script)
jiva> prior to calling gss_acquire_cred() ?
krb5 GSS credentials for accepting do not require running kinit; the
accepting credentials are effectively identical to the keytab. (We'll
ignore the user-to-user auth issue for now.) It is initiating
credentials which require running kinit.
jiva> Is there an API call for that kinit? In my program, I've been
jiva> calling the kinit cmd line program prior to running the program. Do
jiva> I need to put that into my startup script? (This is all on Linux BTW).
There is the krb5_get_init_creds() API.
jiva> On an unrelated note: Is it possible for a server process to have
jiva> multiple TGT for different principals? (Why? For unit tests for my
jiva> code - simulating the user client process/credentials and the server
Yes, but it may become rather complex to handle from a programming
More information about the krbdev