Session key extraction
Luke Howard
lukeh at padl.com
Tue Dec 23 03:06:26 EST 2008
Folks,
I should add some background on the implemented mechanism and
credential introspection APIs. I implemented these for Heimdal some
years ago; since then, Heimdal has re-implemented them, and my
original version ported to MIT (and contributed by Novell).
Essentially they provide a way to inquire and set attributes on
contexts and credentials, attributes being defined by OIDs. The bulk
of the APIs are defined here:
http://www.ogf.org/documents/GFD.24.pdf
All mechanism-specific APIs in GSS-API have been re-implemented in
terms of these to avoid abstraction violations.
Two additional APIs are defined, gssspi_set_cred_option() (which sets
an attribute on a credential) and gssspi_mech_invoke() (which is a
catch-all context/credential-handle-less mechanism for invoking a
mechanism-specific API).
Another approach would be GSS_Query_context_attr(), as defined in
NegoEx. But that seems a bit SSPI-ish.
-- Luke
More information about the krbdev
mailing list