One more question WRT gssapi...
Jeffrey Altman
jaltman at MIT.EDU
Tue Jul 26 23:22:31 EDT 2005
Jiva DeVoe wrote:
> Right, exactly... and for gss_wrap you have to have a context, which I
> assume you're saying should be the one sent from the client.
You need the context for any gss_xxx() call that you make on either side
of the connection. On the server, the context is the output of the
gss_accept_context() call.
> Ok, so that said... what about the peer to peer case? What if I have
> two long-running server processes that need to communicate? What's the
> "appropriate" way to handle that?
If you have two long term processes, one of them becomes a client and
the other is a server. The client will call gss_init_context() and
will obtain an initial TGT using init with a keytab file.
> A server still has to do a gss_acquire_cred right? It's just that it
> doesn't need to have done a kinit for it right? Or does a server not
> even need to do gss_acquire_cred?
gss_acquire_cred() is called by the server. See the gss-server.c
example server_acquire_creds() function.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050726/e140ac9f/attachment.bin
More information about the krbdev
mailing list