RX Kerberos 5 security class requirements of Kerberos library

Jeffrey Altman jaltman at secure-endpoints.com
Wed Jan 3 14:04:26 EST 2007

Sam Hartman wrote:
> I don't seem to have Jeff's original message with the prototype although I do have a reply to that message.
> Jeff's API really has a lot of arguments.  I think that we've learned
> from KLL and CCAPI that by the time you have that many arguments you
> want to be using a structure similar to get_init_creds with an options
> interface.
> It also seems like you only support passing in one authorization data
> item and one address.  That seems wrong.
> --Sam

Here is a prototype for a convenience function that will wrap gic

  krb5_error_code KRB5_CALLCONV
      krb5_context context,
      krb5_principal client,
      krb5_keytab    client_keytab,
      krb5_principal service,
      krb5_keytab    service_keytab,
      krb5_deltat    tkt_life,
      krb5_enctype  *allowed_enctypes,
      krb5_flags     flags,
      krb5_creds** out_creds /* out */ )

The flags field may never be used.

The start and end times were replaced with ticket lifetime since
that is what gic accepts.

Jeffrey Altman

More information about the krbdev mailing list