One more question WRT gssapi...

[Tom Yu]

>>>>> "jiva" == Jiva DeVoe <jiva at devoesquared.com> writes:

jiva> I have a long-running service... (like an ftp server, or a web server
jiva> or whatever, though it's a program I am writing myself)... and users
jiva> will access it using a client program (like an ftp client).

jiva> Now I assume the user would kinit prior to running the client
jiva> program, so I can see how that works.  But in the case of the server,
jiva> I am confused about how the server process gains it's initial TGT.

jiva> I understand that I can use a keytab file for the server process, but
jiva> doesn't it still need to call kinit (say in it's startup script)
jiva> prior to calling gss_acquire_cred() ?

krb5 GSS credentials for accepting do not require running kinit; the
accepting credentials are effectively identical to the keytab.  (We'll
ignore the user-to-user auth issue for now.)  It is initiating
credentials which require running kinit.

jiva> Is there an API call for that kinit?  In my program, I've been
jiva> calling the kinit cmd line program prior to running the program.  Do
jiva> I need to put that into my startup script?  (This is all on Linux BTW).

There is the krb5_get_init_creds() API.

jiva> On an unrelated note: Is it possible for a server process to have
jiva> multiple TGT for different principals?  (Why?  For unit tests for my
jiva> code - simulating the user client process/credentials and the server
jiva> process/credentials).

Yes, but it may become rather complex to handle from a programming
perspective.

---Tom