Session key extraction

Luke Howard lukeh at
Tue Dec 23 03:06:26 EST 2008


I should add some background on the implemented mechanism and  
credential introspection APIs. I implemented these for Heimdal some  
years ago; since then, Heimdal has re-implemented them, and my  
original version ported to MIT (and contributed by Novell).

Essentially they provide a way to inquire and set attributes on  
contexts and credentials, attributes being defined by OIDs. The bulk  
of the APIs are defined here:

All mechanism-specific APIs in GSS-API have been re-implemented in  
terms of these to avoid abstraction violations.

Two additional APIs are defined, gssspi_set_cred_option() (which sets  
an attribute on a credential) and gssspi_mech_invoke() (which is a  
catch-all context/credential-handle-less mechanism for invoking a  
mechanism-specific API).

Another approach would be GSS_Query_context_attr(), as defined in  
NegoEx. But that seems a bit SSPI-ish.

-- Luke

More information about the krbdev mailing list