One more question WRT gssapi...
jiva at devoesquared.com
Tue Jul 26 22:56:45 EDT 2005
Right, exactly... and for gss_wrap you have to have a context, which
I assume you're saying should be the one sent from the client.
Ok, so that said... what about the peer to peer case? What if I have
two long-running server processes that need to communicate? What's
the "appropriate" way to handle that?
BTW, thank you very much for the info. You can see why I was looking
for general docs... I had several questions. So I appreciate the info.
A server still has to do a gss_acquire_cred right? It's just that it
doesn't need to have done a kinit for it right? Or does a server not
even need to do gss_acquire_cred?
On Jul 26, 2005, at 10:49 PM, Jeffrey Altman wrote:
> The server should never have a need to execute a gss_init_context().
> To send encrypted data you process it with gss_wrap() (see gss-
> and the process the data with gss_unwrap() on the receiver. Both
> of the connection can call gss_wrap() and gss_unwrap() as well as
> gss_get_mic() and gss_verify_mic().
> Jeffrey Altman
> Jiva DeVoe wrote:
>> On Jul 26, 2005, at 10:18 PM, Jeffrey Altman wrote:
>>> The server should be calling gss_accept_context and does not obtain
>>> its own initial ticket. It uses the key stored in the keytab file
>>> to decrypt the service ticket delivered by the client as part of the
>>> authentication negotiation.
>>> Have you examined the source code to the gss-client and gss-server
>>> sample applications?
>> Yep, sure have, and used those as an example of "what to do" - just
>> trying to understand it.
>> So what about if I want to then send encrypted data to the client
>> program? Do I use the context I have gotten from accept_context for
>> that? Is there ever a case where I'd need to init_context from the
>> server to the client? I was under the impression I should
>> to the client in the case that I want to send data to her.
>>> Jeffrey Altman
PowerCard - Intuitive Project Management for Mac OS X
More information about the krbdev