One more question WRT gssapi...

Jeffrey Altman jaltman at MIT.EDU
Tue Jul 26 22:49:45 EDT 2005

The server should never have a need to execute a gss_init_context().

To send encrypted data you process it with gss_wrap() (see gss-client.c)
and the process the data with gss_unwrap() on the receiver.  Both sides
of the connection can call gss_wrap() and gss_unwrap() as well as
gss_get_mic() and gss_verify_mic().

Jeffrey Altman

Jiva DeVoe wrote:

> On Jul 26, 2005, at 10:18 PM, Jeffrey Altman wrote:
>> The server should be calling gss_accept_context and does not obtain
>> its own initial ticket.  It uses the key stored in the keytab file
>> to decrypt the service ticket delivered by the client as part of the
>> authentication negotiation.
>> Have you examined the source code to the gss-client and gss-server
>> sample applications?
> Yep, sure have, and used those as an example of "what to do" - just 
> trying to understand it.
> So what about if I want to then send encrypted data to the client 
> program?  Do I use the context I have gotten from accept_context for 
> that?  Is there ever a case where I'd need to init_context from the 
> server to the client?  I was under the impression I should  init_context
> to the client in the case that I want to send data to her.
>> Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list