One more question WRT gssapi...

Russ Allbery rra at
Tue Jul 26 23:16:05 EDT 2005

Jiva DeVoe <jiva at> writes:

> Ok, so that said... what about the peer to peer case?  What if I have
> two long-running server processes that need to communicate?  What's the
> "appropriate" way to handle that?

In the GSSAPI world, one of them will be a client and one of them will be
a server.  It's fairly arbitrary which you designate as which, except that
the client will need to have a ticket and the server will need to have a
keytab that it can use to verify it.

In a GSSAPI authentication, there is always a client and a server.

> A server still has to do a gss_acquire_cred right?  It's just that it
> doesn't need to have done a kinit for it right?  Or does a server not
> even need to do gss_acquire_cred?

A server does not need to acquire credentials.  Step back a level and look
at it from a higher level perspective:  the client is authenticating to
the server.  The client therefore obtains credentials and presents them to
the server, which verifies them (and then does some additional work so
that the client can be assured that the server is who it claims to be).
Why would the server need credentials?  It doesn't present credentials to
anyone; only the client does that.

Russ Allbery (rra at             <>

More information about the krbdev mailing list