gss_acquire_cred with GSS_C_BOTH usage option

Nathan Huff Nathan.Huff at
Wed Sep 21 11:32:17 EDT 2005

The behavior of the MIT KRB5 GSSAPI implementations gss_acquire_cred
call seems if not incorrect then particularly unuseful if GSS_C_BOTH
is specified for cred usage.  If I am reading the code correctly
you need to have a keytab entry for the principal and a credential 
cache with the same principal in it before the call is made.  This is
not very easy to do if the communication is between daemon processes
that may need to create connections at connections at different times.

The main issue I am running into is ipsec-tools.  Racoon the IKE 
daemon can do GSSAPI authentication between different the daemons.  
What I gather from their mailing list they built their code against
Heimdal.  The Heimdal code basically does the same thing as the MIT
code, but if it can't find the credential cache or can't find the 
correct creds in it, it will try and acquire them using the keytab
entry.  This seems much more useful for this kind of operations.

I am wondering if people think this would be a worthwhile change? 

Nathan Huff                            Nathan.Huff at
Information Technology Services        (701) 231-6145 (Voice)
Room 242H, IACC Building
North Dakota State University, Fargo, ND 58105-5164

More information about the krbdev mailing list