Validating Kerberos tickets

Douglas E. Engert deengert at anl.gov
Tue Aug 25 12:33:04 EDT 2009 


Santiago Rivas wrote:
> Well, both the KDC and the client-side of the application are
> running on different Debian GNU/Linux machines. But the client could also be
> executed on a Windows machine, since it is written in Java.
> 
> You are right, Douglas, the server-side of my application is currently
> running on a Windows machine, but I'm planning the development of the
> same functionality for a Linux machine. So the challenge is to write it in
> C, but I don't know where to download C GSSAPI libraries from... Are there
> any free C GSSAPI frameworks availible on the web to download?

The MIT Kerberos comes with the GSSAPI library and headers, so I am not sure what
your are missing. When you say framework, are you looking for examples, or how to
avoid having to make the GSSAPI calls yourself.  There are lots of gssapi examples
available, including the ones in the Kerberos distribution, in the  appl/gss-sample
directory.

One example of this is the Globus GSSAPI assist libraries, that do some of the GSSAPI
calls for your. It was originally designed to work with the Globus gsi mechanism
but should work as well with the Kerberos mechanism.


> 
> Thanks again for your help!
> 
> Regards,
> Santiago
> 
> 2009/8/24 Douglas E. Engert <deengert at anl.gov>
> 
>>
>>
>> Santiago Rivas wrote:
>>
>>> Hi, Douglas
>>>  I had already read that document (in my opinion, a very good one!). But
>>> it does not contain enough information for my purpose: the client-side of
>>> the application is running through a web browser and it is written in Java.
>>> I'm using GSS-API with JAAS, which I agree that makes things a lot easier.
>>> But the point is that server-side must be written in C, in order to compile
>>> it into a DLL. I have searched for a C-GSSAPI framework... with poor
>>> results.
>>>
>> So the server is on Windows. Then you might be able to use the Microsoft
>> SSPI
>> on the server, as SSPI uses the same protocol as GSSAPI. I have done SSPI
>> clients to GSS-API servers on Unix, but not the other way.
>>
>>  I have downloaded several archives from:
>>> http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/gssapi/
>>>  But I'm not able to get it working for Visual Studio. Is there any
>>> website where I can download an open source C GSSAPI framework?
>>>  Thanks a lot!
>>>  Regards,
>>> Santiago
>>>
>>>
>>> 2009/8/21 Douglas E. Engert <deengert at anl.gov <mailto:deengert at anl.gov>>
>>>
>>>
>>>
>>>    Santiago Rivas wrote:
>>>
>>>        Hi everyone,
>>>
>>>        I have recently started working with Kerberos v5 and I have read
>>>        many
>>>        manuals and documents explaining the protocol and showing some
>>>        short sample
>>>        code. I'm writing a custom C / Java application and I want to
>>>        "kerberize" it
>>>        in order to achieve Single Sign-On. Up to now, I'm able to
>>>        generate both tgt
>>>        and tgs tickets on the client, but the main challenge I find is
>>>        how to
>>>        validate the tgs ticket once it's recieved by the server side of
>>> the
>>>        application... Any help? Thanks in advance!
>>>
>>>
>>>    You say it is C / Java, If you are calling Kerberos from Java, have
>>>    you looked at:
>>>
>>>
>>> http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/single-signon.html
>>>
>>>    You might be better off use the GSS-API rather then Kerberos directly.
>>>    The above URL has an example for that too.
>>>
>>>    Goolge for java kerberos  to find other references.
>>>
>>>
>>>
>>>        PD: I would appreciate to see some source code or read specific
>>>        documentation on this task.
>>>        _______________________________________________
>>>        krbdev mailing list             krbdev at mit.edu
>>>        <mailto:krbdev at mit.edu>
>>>        https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>>>    --
>>>     Douglas E. Engert  <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
>>>     Argonne National Laboratory
>>>     9700 South Cass Avenue
>>>     Argonne, Illinois  60439
>>>     (630) 252-5444
>>>
>>>
>>>
>> --
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list